You need to ensure that any time an administrator modifies an employee’s name in AD DS, the change is audited

A corporate network includes a single Active Directory Domain Services (AD DS) domain. All
regular user accounts reside in an organizational unit (OU) named Employees. All
administrator accounts reside in an OU named Admins.
You need to ensure that any time an administrator modifies an employee’s name in AD DS,
the change is audited.
What should you do first?

A corporate network includes a single Active Directory Domain Services (AD DS) domain. All
regular user accounts reside in an organizational unit (OU) named Employees. All
administrator accounts reside in an OU named Admins.
You need to ensure that any time an administrator modifies an employee’s name in AD DS,
the change is audited.
What should you do first?

A.
Enable the Audit directory service access setting in the Default Domain Controllers Policy
Group PolicyObject.

B.
Create a Group Policy Object with the Audit directory service access setting enabled and
link it to the Employees OU.

C.
Enable the Audit directory service access setting in the Default Domain Policy Group
Policy Object.

D.
Modify the searchFlags property for the User class in the schema.

Explanation:
To audit changes made to objects in AD DS we have to use Directory Service Changes
auditing, which indicates the old and new values of the changed properties of the objects
that were changed. DirectoryService Changes auditing is a subcategory of Audit directory
service access, and is not enabled by default.
To use it we have to enable it first, and we can do that specifically for Directory Service
Changes by using auditpol.exe, or we can use Group Policy Management to enable Audit
directory service access, which enables all subcategories, including Directory Service
Changes. You do this by modifying the Default Domain Controllers Policy.

http://technet.microsoft.com/en-us/library/cc731607.aspx
In Windows 2000 Server and Windows Server 2003, there was one audit policy, Audit
directory service access, that controlled whether auditing for directory service events was
enabled or disabled. In Windows Server 2008, this policy is divided into four subcategories:
• Directory Service Access
• Directory Service Changes
• Directory Service Replication
• Detailed Directory Service Replication
This step includes procedures to enable change auditing with either the Windows interface
or a command line:
By using Group Policy Management, you can turn on the global audit policy, Audit directory
service access, which enables all the subcategories for AD DS auditing.
To enable the global audit policy using the Windows interface
1. Click Start, point to Administrative Tools, and then Group Policy Management.
2. In the console tree, double-click the name of the forest, double-click Domains, doubleclick the name of your domain, double-click Domain Controllers, right-click Default Domain
Controllers Policy, and then click Edit.

3. Under Computer Configuration, double-click Policies, double-click Windows Settings,
double-click Security Settings, double-click Local Policies, and then click Audit Policy.
4. In the details pane, right-click Audit directory service access, and then click Properties.
5. Select the Define these policy settings check box.
6. Under Audit these attempts, select the Success, check box, and then click OK.



Leave a Reply 0

Your email address will not be published. Required fields are marked *