Home » Microsoft » 70-417 v.2 » How do you proceed?
Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1. On Server1 the operating system Windows Server 2012 R2 is installed. Check the RSoP of Server1. The effective settings are shown in the picture (click on the button drawing). You must ensure that an entry is recorded in the event log when it is on Server1 created or deleted a local user account.
How do you proceed?
You need to ensure that an entry is added to the event log whenever a local user account is created or deleted on Server1.
What should you do?
A. Change the settings of the audit policy in Group Policy Object (GPO) ServersGPO
B. On Server1, attach a task to the security log.
C. Add the System log on Server1 a task.
D. Change the settings of the Advanced Audit Policy Configuration in Group Policy Object (GPO) ServersGPO
Correct Answer: A
Explanation/Reference:
Explanation:
From the figure it is evident that the policy Audit account management is enabled only for failed attempts. Must be monitored in order to monitor the creation and deletion of accounts also successful attempts of account management. Audit account management is determined whether all Account Management events are monitored on a computer with this security setting.
The account management events include:
▪ A user account or user group is created, changed or deleted.
▪ A user account is renamed, disabled or enabled.
▪ A password is set or changed.
If you define this policy setting, you can specify whether success or failure can be monitored and specify that the event type is not monitored. Success audits generate an audit entry is generated when any account management event succeeds. Failure audits generate an audit entry is generated when any account management event fails. If you "No monitoring" want to set this value to, activate the dialog "Properties" for this policy setting check box "Define these policy settings" and uncheck the checkbox "success" and "failure".
When you use Advanced Audit Policy Configuration settings, you need to confirm that these settings are not overwritten by basic audit policy settings. The following procedure shows how to prevent conflicts by blocking the application of any basic audit policy settings. Enabling Advanced Audit Policy ConfigurationBasic and advanced audit policy configurations should not be mixed. As such, it’s best practice to enable Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings in Group Policy to make sure that basic auditing is disabled. The setting can be found under Computer ConfigurationPoliciesSecurity SettingsLocal PoliciesSecurity Options, and sets the SCENoApplyLegacyAuditPolicy registry key to prevent basic auditing being applied using Group Policy and the Local Security Policy MMC snap-in.
In Windows 7 and Windows Server 2008 R2, the number of audit settings for which success and failure can be tracked has increased to 53. Previously, there were nine basic auditing settings under Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesAudit Policy. These 53 new settings allow you to select only the behaviors that you want to monitor and exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive number of log entries. In addition, because Windows 7 and Windows Server 2008 R2 security audit policy can be applied by using domain Group Policy, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity.
Audit Policy settings
-Any changes to user account and resource permissions.
-Any failed attempts for user logon.
-Any failed attempts for resource access.
-Any modification to the system files.
Advanced Audit Configuration Settings Audit compliance with important business-related and security-related rules by tracking precisely defined activities, such as:
A group administrator has modified settings or data on servers that contain finance information.
An employee within a defined group has accessed an important file. The correct system access control list (SACL) is applied to every file and folder or registry key on a computer or file share as a verifiable safeguard against undetected access.
In Servers GPO, modify the Audit Policy settings -enabling audit account management setting will generate events about account creation, deletion and so on.
Advanced Audit Configuration Settings Advanced Audit Configuration Settings ->Audit Policy -> Account Management -> Audit User Account Management
In Servers GPO, modify the Audit Policy settings -enabling audit account management setting will generate events about account creation, deletion and so on
http://blogs.technet.com/b/abizerh/archive/2010/05/27/tracing-down-user-and-computer-account-deletion-in-active-directory.aspx
http://technet.microsoft.com/en-us/library/dd772623%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/dd408940%28v=ws.10%29.aspx#BKMK_step2
http://technet.microsoft.com/en-us/library/jj852202(v=ws.10).aspx http://www.petri.co.il/enable-advanced-audit-policy-configuration-windows-server.htm