Home » Microsoft » 70-687 » Which audit policy setting should you configure?
A company has Windows 8.1 client computers. All user data is stored locally. Each data file has a system access control list (SACL).
You need to ensure that an event is generated when a user modifies a local file.
Which audit policy setting should you configure?
A. Audit process tracking
B. Audit policy change
C. Audit object access
D. Audit privilege use
Correct Answer: C
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc776774%28v=ws.10%29.aspx Audit object access
This security setting determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth-- that has its own system access control list (SACL) specified.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an object that has an appropriate SACL specified. Failure audits generate an audit entry when a user unsuccess- fully attempts to access an object that has a SACL specified.
Further Information:
https://blogs.manageengine.com/product-blog/eventloganalyzer/2012/06/20/object-access-auditing-simplified-find-the-who-what-where-when-of-file-folder-access.html
Object Access Auditing Simplified Find the ‘Who, What, Where, When’ of File & Folder Access