Your network contains an Active Directory domain named contoso.com. The domain contains a file server
named Server1 that runs Windows Server 2012 R2.
You view the effective policy settings of Server1 as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that an entry is added to the event log whenever a local user account is created or deleted
on Server1.
What should you do?
A.
In Servers GPO, modify the Advanced Audit Configuration settings.
B.
On Server1, attach a task to the security log.
C.
In Servers GPO, modify the Audit Policy settings.
D.
On Server1, attach a task to the system log.
Explanation:
When you use Advanced Audit Policy Configuration settings, you need to confirm that these settings are not
overwritten by basic audit policy settings. The following procedure shows how to prevent conflicts by blocking
the application of any basic audit policy settings.
Enabling Advanced Audit Policy Configuration
Basic and advanced audit policy configurations should not be mixed. As such, it’s best practice to enable Audit:
Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings in
Group Policy to make sure that basic auditing is disabled. The setting can be found under Computer
Configuration\Policies\Security Settings\Local Policies\Security Options, and sets the
SCENoApplyLegacyAuditPolicy registry key to prevent basic auditing being applied using Group Policy and the
Local Security Policy MMC snap-in.
In Windows 7 and Windows Server 2008 R2, the number of audit settings for which success and failure can be
tracked has increased to 53. Previously, there were nine basic auditing settings under Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy. These 53 new settings
allow you to select only the behaviors that you want to monitor and exclude audit results for behaviors that
are of little or no concern to you, or behaviors that create an excessive number of log entries. In addition,
because Windows 7 and Windows Server 2008 R2 security audit policy can be applied by using domain Group
Policy, audit policy settings can be modified, tested, and deployed to selected users and groups with relative
simplicity.
Audit Policy settings
Any changes to user account and resource permissions.
Any failed attempts for user logon.Any failed attempts for resource access.
Any modification to the system files.
Advanced Audit Configuration Settings
Audit compliance with important business-related and security-related rules by tracking precisely defined
activities, such as:
A group administrator has modified settings or data on servers that contain finance information.
An employee within a defined group has accessed an important file.
The correct system access control list (SACL) is applied to every file and folder or registry key on a computer
or file share as a verifiable safeguard against undetected access.
In Servers GPO, modify the Audit Policy settings – enabling audit account management setting will generate
events about account creation, deletion and so on.
Advanced Audit Configuration Settings
Advanced Audit Configuration Settings ->Audit Policy
-> Account Management -> Audit User Account ManagementIn Servers GPO, modify the Audit Policy settings – enabling audit account management setting will generate
events about account creation, deletion and so on.http: //blogs. technet. com/b/abizerh/archive/2010/05/27/tracing-down-user-and-computer-accountdeletion-in-active-directory. aspx
http: //technet. microsoft. com/en-us/library/dd772623%28v=ws. 10%29. aspx
http: //technet. microsoft. com/en-us/library/jj852202(v=ws. 10). aspx
http: //www. petri. co. il/enable-advanced-audit-policy-configuration-windows-server. htmhttp: //technet. microsoft. com/en-us/library/dd408940%28v=ws. 10%29. aspx
http: //technet. microsoft. com/en-us/library/dd408940%28v=ws. 10%29. aspx#BKMK_step2
I would go for C.
C
I believe it is as shown (A): https://technet.microsoft.com/en-us/library/dn319091.aspx
This pretty much spells it out. It looks like A is correct to me.
B
just check it on y system
what is the correct answer
Basic Audit Policies does override Advanced Audit Policies of the same category, so in order to achieve the desired result, you have to modify the base Audit account management setting, or modify the advanced Audit policy AND enable the “Force Audit Policy Subcategory Settings (Windows Vista Or Later) To Override Audit Policy Category Settings” setting.
To me is C.
it’s vice versa, and the Force-setting is enabled by default, check the MS docs…
I would go for C too… as we don´t see how is the Advanced object access set up but we can clearly see that Account management in AUdit Policy is set to failure only. So when somebody successfuly creates account nothing is logged as it is not failure.
A
once you start using Advanced Audit Configuration then it will override the Audit Policy configuration. At first it also looked OK for me just modifying the Audit Policy. But after using the Advanced thing I was not able to get the Audit Policy settings back working.
Advanced will even override the basic stuff if all settings there are set to “not configured”! And it is also not possible to revert that, so take care with this p.o.s…
therefore as they are showing that Advanced config is already being used: provided answer is correct
My Prof just confirmed, the answer is C.
U need to edit the “Audit Account Management” Policy from the Pic which is set to false.
I am sure it will be A, as per Orin Thomas Administering Windows Server 2012 Training Guide Page 586-587.
Audit Policy: The drawback of these policies is that
they are general, and you can’t be specific in the way you configure auditing. When you use
these policies, you’ll not only audit the events that you’re interested in but you’ll also end up auditing many events that you don’t need to know about.
Advanced Audit Policy: The advanced audit policies enable you to be more specific in the types of activity you audit. The advanced audit policies are located under the Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy
There are 10 groups of audit policy settings and 58 individual audit policies available through Advanced Audit Policy Configuration. The audit policy groups contain the following settings:
■■ Account Logon You can audit credential validation and Kerberos-specific operations.
■■ Account Management You can audit account management operations, such as changes to computer accounts, user accounts, and group accounts.
■■ Detailed Tracking You can audit encryption events, process creation, process termination, and RPC events.
■■ DS Access You can audit Active Directory access and functionality
■ Logon/Logoff You can audit logon, logoff, and other account activity events, including IPsec and Network Policy Server (NPS) events.
■■ Object Access You can audit access to objects including files, folders, applications, and the registry.
■■ Policy Change You can audit changes to audit policy.
■■ Privilege Use You can audit the use of privileges.
■■ System You can audit changes to the security subsystem.
■■ Global Object Access Auditing You can configure expression-based audit policies for files and the registry.
Leanne is 100% correct. has to be A
If use answer C, then a LOT of unwanted audit entries will flow to event log: about group management for example. It is because there is no options, you can chose only if you want to audit failures or successes.
According to A, FINE choosing what audit you are interested in is possible. Six options is available, 4 of them is attending to groups, and the last one is what we seek for: “Audit User Account Management”.
So, I thing that given answer A is correct.