You need to ensure that if a group Managed Service Account resets a password of a domain user account, an audit entry is created

Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012
R2.
The network contains several group Managed Service Accounts that are used by four member servers.
You need to ensure that if a group Managed Service Account resets a password of a domain user account, an
audit entry is created.
You create a Group Policy object (GPO) named GPO1.
What should you do next?

A.
In GPO1, configure the Advanced Audit Policy Configuration settings for Audit User Account Management.
Link GPO1 to the Domain Controllers organizational unit (OU).

B.
In GPO1, configure the Advanced Audit Policy Configuration settings for Audit User Account Management.
Move the member servers to a new organizational unit (OU). Link GPO1 to the new OU.

C.
In GPO1, configure the Advanced Audit Policy Configuration settings for Audit Sensitive Privilege Use. Link
GPO1 to the Domain Controllers organizational unit (OU).

D.
In GPO1, configure the Advanced Audit Policy Configuration settings for Audit Sensitive Privilege Use. Move
the member servers to a new organizational unit (OU). Link GPO1 to the new OU.

Explanation:

Audit User Account Management
This security policy setting determines whether the operating system generates audit events when the
following user account management tasks are performed:
A user account is created, changed, deleted, renamed, disabled, enabled, locked out, or unlocked.
A user account password is set or changed.
Security identifier (SID) history is added to a user account.
The Directory Services Restore Mode password is set.
Permissions on accounts that are members of administrators groups are changed.
Credential Manager credentials are backed up or restored.
This policy setting is essential for tracking events that involve provisioning and managing user accounts.