A corporate network includes a single Active Directory Domain Services (AD DS) domain. All regular user accounts reside in an organizational unit (OU) named Employees.
All administrator accounts reside in an OU named Admins.
You need to ensure that any time an administrator modifies an employee’s name in AD DS, the change is audited.
What should you do first?
A. Enable the Audit directory service access setting in the Default Domain Controllers Policy Group Policy Object.
B. Create a Group Policy Object with the Audit directory service access setting enabled and link it to the Employees OU.
C. Enable the Audit directory service access setting in the Default Domain Policy Group Policy Object.
D. Modify the searchFlags property for the User class in the schema.
Correct Answer: A
Explanation/Reference:
Same question as J/Q7, different set of answers.
To audit changes made to objects in AD DS we have to use Directory Service Changes auditing, which indicates the old and new values of the changed properties of the objects that were changed. Directory Service Changes auditing is a subcategory of Audit directory service access, and is not enabled by default. To use it we have to enable it first, and we can do that specifically for Directory Service Changes by using auditpol.exe, or we can use Group Policy Management to enable Audit directory service access, which enables all subcategories, including Directory Service Changes. You do this by modifying the Default Domain Controllers Policy.
Reference:
http://technet.microsoft.com/en-us/library/cc731607.aspx
In Windows 2000 Server and Windows Server 2003, there was one audit policy, Audit directory service access, that controlled whether auditing for directory service events was enabled or disabled. In Windows Server 2008, this policy is divided into four subcategories:
Directory Service Access
Directory Service Changes
Directory Service Replication
Detailed Directory Service Replication
This step includes procedures to enable change auditing with either the Windows interface or a command line:
By using Group Policy Management, you can turn on the global audit policy, Audit directory service access, which enables all the subcategories for AD DS auditing.
To enable the global audit policy using the Windows interface
1. Click Start, point to Administrative Tools, and then Group Policy Management.
2. In the console tree, double-click the name of the forest, double-click Domains, double-click the name of your domain, double-click Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.
3. Under Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then click Audit Policy.
4. In the details pane, right-click Audit directory service access, and then click Properties.
5. Select the Define these policy settings check box.
6. Under Audit these attempts, select the Success, check box, and then click OK.