A corporate network includes a single Active Directory Domain Services (AD DS) domain. All
regular user accounts reside in an organisational unit (OU) named Employees. All
administrator accounts reside in an OU named Admins.
You need to ensure that any time an administrator modifies an employee’s name in AD DS,
the change is audited.
What should you do first?
A.
Create a Group Policy Object with the Audit directory service access setting enabled and
link it to the Employees OU.
B.
Modify the searchFlags property for the Name attribute in the Schema.
C.
Create a Group Policy Object with the Audit directory service access setting enabled and
link it to the Admins OU.
D.
Use the Auditpol.exe command-line tool to enable the directory service changes auditing
subcategory.
Explanation:
Before we can use the Directory Service Changes audit policy subcategory, we have to
enable it first. We can do that by using auditpol.exe.http://technet.microsoft.com/en-us/library/cc731607.aspx
Auditing changes to objects in AD DS
In Windows 2000 Server and Windows Server 2003, there was one audit policy, Audit
directory service access, that controlled whether auditing for directory service events was
enabled or disabled. In Windows Server 2008, this policy is divided into four subcategories:
• Directory Service Access
• Directory Service Changes
• Directory Service Replication
• Detailed Directory Service Replication
The ability to audit changes to objects in AD DS is enabled with the new audit policy
subcategory Directory Service Changes. This guide provides instructions for implementing
this audit policy subcategory.
The types of changes that you can audit include a user (or any security principal) creating,
modifying, moving, or undeleting an object. The new audit policy subcategory adds the
following capabilities to auditing in AD DS:When a successful modify operation is performed on an attribute, AD DS logs the previous
and current values of the attribute. If the attribute has more than one value, only the values
that change as a result of the modify operation are logged.
(…)
Steps to set up auditing
This section includes procedures for each of the primary steps for enabling change auditing:
Step 1: Enable audit policy.
Step 2: Set up auditing in object SACLs by using Active Directory Users and Computers.
Step 1: Enable audit policy.
This step includes procedures to enable change auditing with either the Windows interface
or a command line:
(…)
By using the Auditpol command-line tool, you can enable individual subcategories.
To enable the change auditing policy using a command line
1. Click Start, right-click Command Prompt, and then click Run as administrator.
2. Type the following command, and then press ENTER:
auditpol /set /subcategory:”directory service changes” /success:enable