A corporate network includes a single Active Directory Domain Services (AD DS) domain. All regular user accounts reside in an organizational unit (OU) named Employees. All administrator accounts reside in an OU named Admins.
You need to ensure that any time an administrator modifies an employee’s name in AD DS, the change is audited.
What should you do first?
A.
Enable the Audit directory service access setting in the Default Domain Controllers Policy Group Policy Object.
B.
Create a Group Policy Object with the Audit directory service access setting enabled and link it to the Employees OU.
C.
Enable the Audit directory service access setting in the Default Domain Policy Group Policy Object.
D.
Modify the searchFlags property for the User class in the schema.
Answer is A for sure check this link
http://technet.microsoft.com/en-us/library/cc731607%28v=WS.10%29.aspx
The answer A, enable the auditing for the entire AD DS object, and not only for OU named Employees!!!
For me is B!!!
The correct answer is A
In this particular case, we are only concerned with auditing a name change. Answers A thru C will involve auditing all directory service access. To enable auditing for a single attribute within the directory service, searchFlag properties would need to be properly set.
Correct answer is D.
http://technet.microsoft.com/en-us/library/cc731607%28v=WS.10%29.aspx
Disregard. I missed that whole “What should you do first?” part… 🙁
Although the article refers to attached audit (http://technet.microsoft.com/en-us/library/cc731607%28v=WS.10%29.aspx), but this does not go with the question:
When you modify the Employees OU, these changes should be AUDITED. But it does not refer to the entire domain.
I think the answer is B