You need to ensure that an entry is added to the event log whenever a local user account is created or deleted on Server1

Your network contains an Active Directory domain named contoso.com. The domain contains a file
server named Server1 that runs Windows Server 2012 R2.
You view the effective policy settings of Server1 as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that an entry is added to the event log whenever a local user account is created
or deleted on Server1.
What should you do?

Your network contains an Active Directory domain named contoso.com. The domain contains a file
server named Server1 that runs Windows Server 2012 R2.
You view the effective policy settings of Server1 as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that an entry is added to the event log whenever a local user account is created
or deleted on Server1.
What should you do?

A.
In Servers GPO, modify the Advanced Audit Configuration settings.

B.
On Server1, attach a task to the security log.

C.
In Servers GPO, modify the Audit Policy settings.

D.
On Server1, attach a task to the system log.

Explanation:
When you use Advanced Audit Policy Configuration settings, you need to confirm that these settings
are not overwritten by basic audit policy settings. The following procedure shows how to prevent
conflicts by blocking the application of any basic audit policy settings.
Enabling Advanced Audit Policy Configuration
Basic and advanced audit policy configurations should not be mixed. As such, it’s best practice to
enable Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit
policy category settings in Group Policy to make sure that basic auditing is disabled. The setting can
be found under Computer Configuration\Policies\Security Settings\Local Policies\Security Options,
and sets the SCENoApplyLegacyAuditPolicy registry key to prevent basic auditing being applied using
Group Policy and the Local Security Policy MMC snap-in.
In Windows 7 and Windows Server 2008 R2, the number of audit settings for which success and
failure can be tracked has increased to 53. Previously, there were nine basic auditing settings under
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy.

These 53 new settings allow you to select only the behaviors that you want to monitor and exclude
audit results for behaviors that are of little or no concern to you, or behaviors that create an
excessive number of log entries. In addition, because Windows 7 and Windows Server 2008 R2
security audit policy can be applied by using domain Group Policy, audit policy settings can be
modified, tested, and deployed to selected users and groups with relative simplicity.
Audit Policy settings
Any changes to user account and resource permissions.
Any failed attempts for user logon.
Any failed attempts for resource access.
Any modification to the system files.
Advanced Audit Configuration Settings
Audit compliance with important business-related and security-related rules by tracking precisely
defined activities, such as:
A group administrator has modified settings or data on servers that contain finance information.
An employee within a defined group has accessed an important file.
The correct system access control list (SACL) is applied to every file and folder or registry key on a
computer or file share as a verifiable safeguard against undetected access.
In Servers GPO, modify the Audit Policy settings – enabling audit account management setting will
generate events about account creation, deletion and so on.
Advanced Audit Configuration Settings
Advanced Audit Configuration Settings ->Audit Policy
-> Account Management -> Audit User Account Management

In Servers GPO, modify the Audit Policy settings – enabling audit account management setting will
generate events about account creation, deletion and so on.

httpHYPERLINK “http://technet.microsoft.com/en-us/library/jj852202(v=ws.10).aspx#_blank”:
//blogsHYPERLINK “http://technet.microsoft.com/en-us/library/jj852202(v=ws.10).aspx#_blank”.
technetHYPERLINK “http://technet.microsoft.com/en-us/library/jj852202(v=ws.10).aspx#_blank”.
com/b/abizerh/HYPERLINK “http://technet.microsoft.com/enus/library/jj852202(v=ws.10).aspx#_blank”archive/2010/05/27/tracing-down-user-and-computeraccount-deletion-in-active-directoryHYPERLINK “http://technet.microsoft.com/enus/library/jj852202(v=ws.10).aspx#_blank”. aspx
httpHYPERLINK “http://technet.microsoft.com/en-us/library/dd772623(v=ws.10).aspx#_blank”:
//technetHYPERLINK “http://technet.microsoft.com/enus/library/dd772623(v=ws.10).aspx#_blank”. microsoftHYPERLINK
“http://technet.microsoft.com/en-us/library/dd772623(v=ws.10).aspx#_blank”. com/enus/library/dd772623%28v=wsHYPERLINK “http://technet.microsoft.com/enus/library/dd772623(v=ws.10).aspx#_blank”. 10HYPERLINK “http://technet.microsoft.com/enus/library/dd772623(v=ws.10).aspx#_blank”%29HYPERLINK “http://technet.microsoft.com/enus/library/dd772623(v=ws.10).aspx#_blank”. aspx
httpHYPERLINK “http://technet.microsoft.com/en-us/library/jj852202(v=ws.10).aspx#_blank”:
//technetHYPERLINK “http://technet.microsoft.com/en-us/library/jj852202(v=ws.10).aspx#_blank”.
microsoftHYPERLINK “http://technet.microsoft.com/en-us/library/jj852202(v=ws.10).aspx#_blank”.
com/en-us/library/jj852202(v=wsHYPERLINK “http://technet.microsoft.com/enus/library/jj852202(v=ws.10).aspx#_blank”. 10)HYPERLINK “http://technet.microsoft.com/enus/library/jj852202(v=ws.10).aspx#_blank”. aspx
httpHYPERLINK “http://www.petri.co.il/enable-advanced-audit-policy-configuration-windowsserver.htm#_blank”: //wwwHYPERLINK “http://www.petri.co.il/enable-advanced-audit-policyconfiguration-windows-server.htm#_blank”. petriHYPERLINK “http://www.petri.co.il/enableadvanced-audit-policy-configuration-windows-server.htm#_blank”. coHYPERLINK
“http://www.petri.co.il/enable-advanced-audit-policy-configuration-windows-server.htm#_blank”.
il/enable-advanced-audit-policy-configurHYPERLINK “http://www.petri.co.il/enable-advanced-auditpolicy-configuration-windows-server.htm#_blank”ation-windows-serverHYPERLINK
“http://www.petri.co.il/enable-advanced-audit-policy-configuration-windows-server.htm#_blank”.
htm
httpHYPERLINK “http://technet.microsoft.com/en-us/library/dd408940(v=ws.10).aspx#_blank”:
//technetHYPERLINK “http://technet.microsoft.com/en-

us/library/dd408940(v=ws.10).aspx#_blank”. microsoftHYPERLINK
“http://technet.microsoft.com/en-us/library/dd408940(v=ws.10).aspx#_blank”. com/enus/librHYPERLINK “http://technet.microsoft.com/enus/library/dd408940(v=ws.10).aspx#_blank”ary/dd408940%28v=wsHYPERLINK
“http://technet.microsoft.com/en-us/library/dd408940(v=ws.10).aspx#_blank”. 10%29HYPERLINK
“http://technet.microsoft.com/en-us/library/dd408940(v=ws.10).aspx#_blank”. aspx
httpHYPERLINK “http://technet.microsoft.com/en-us/library/dd408940(v=ws.10).aspx#_blank”:
//technetHYPERLINK “http://technet.microsoft.com/enus/library/dd408940(v=ws.10).aspx#_blank”. microsoftHYPERLINK
“http://technet.microsoft.com/en-us/library/dd408940(v=ws.10).aspx#_blank”. com/enus/library/dd408940%28v=wsHYPERLINK “http://technet.microsoft.com/enus/library/dd408940(v=ws.10).aspx#_blank”. 10%29HYPERLINK “http://technet.microsoft.com/enus/library/dd408940(v=ws.10).aspx#_blank”. aspx#BKMK_step2



Leave a Reply to Fréd Cancel reply7

Your email address will not be published. Required fields are marked *

4 × one =


jsoh

jsoh

You do not want to combine advanced audit policy and regular audit policy settings. The answer should be C because the regular audit policy for account management is selected which will monitor events having to do with account management.

hippo

hippo

Yup, actually the explanation below the answer says too to use the basic audit policies…

Fréd

Fréd

C. In Servers GPO, modify the Audit Policy settings.

Justbecause

Justbecause

Has to be A, only Advance Security will let you audit account creation or deletion.

MikeB

MikeB

I think the answer is C

https://technet.microsoft.com/en-us/library/cc976377.aspx

Audit account management

Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
Description
Determines whether to audit each event of account management on a computer. Examples of account managment events include:
A user account or group is created, changed, or deleted
A user account is renamed, disabled, or enabled
A password is set or changed
By default, this value is set to No auditing in the Default Domain Controller Group Policy object (GPO) and in the local policies of workstations and servers.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not to audit the event type at all. Success audits generate an audit entry when any account management event is successful. Failure audits generate an audit entry when any account management event fails. You can select No auditing by defining the policy setting and unchecking Success and Failure .

Piteros77

Piteros77

???
Answer A and explanation shows answer C 🙂

In my opinion C is right answer