You are The Exchange administrator for your company. The network consists of a single Active Directory domain.
The network contains nine Exchange Server 2003 computers running on Microsoft Windows Server 2003 member servers.
All Exchange servers are in a single organizational Unit (OU) named Exchange Servers.
Only the Exchange server computer objects are contained in the Exchange Servers OU.
Users in a group named Exchange Admins are exclusively responsible for managing the Exchange organization.
No other group, including the Enterprise Admins and Domain Admins groups, has permissions to manage the Exchange organization.
You discover that the Domain Admins group is in the membership list of the Exchange Admins group.
You need to ensure chat any changes to group membership that would allow access to manage the Exchange organization are recorded.
What should you do?

A.
Configure the Default Domain Controllers Policy to include auditing successful policy change events.

B.
Configure the Default Domain Controllers Policy to include auditing successful account management events.

C.
Create a Group Policy object (GPO) on the Exchange servers OU to audit successful policy change events.

D.
Create a Group Policy object (GPO) on the Exchange Servers OU to audit successful directory service access events.

Explanation:
Audit account management – This policy setting determines whether to audit
each account management event on a computer. Examples of account management
events include the following:
– A user account or group is created, changed, or deleted.
– A user account is renamed, disabled, or enabled.
– A password is set or changed.
If you configure the Audit account management setting, you can specify whether to audit successes, audit failures, or not audit the event type at all.
Success audits generate an audit entry when any account management event succeeds, and you should enable them on all computers in your enterprise.
When an organization responds to security incidents, it is critical that they be able to track who created, changed, or deleted an account.
Failure audits generate an audit entry when any account management event fails.
Directory Service Access is a very general category. Basically, it refers to any time a ser changes an Active Directory object in this
way we can see who add Domain Admins group to membership list of the Exchange Admins group. This need to be done to domain
level access by default is not policy settings audit are not set in member server, doing this to domain level Exchange OU will inherit
this setting The Account Policies security area receives special treatment in how it takes effect on computers in the domain. All DCs
in the domain receive their account policies from GPOs configured at the domain node regardless of where the computer object for
the DC is. This ensures that consistent account policies are enforced for all domain accounts. All non-DC computers in the domain
follow the normal GPO hierarchy for getting policies for the local accounts on those computers. By default, member workstations and
servers enforce the policy settings configured in the domain GPO for their local accounts, but if there is another GPO at lower scope
that overrides the default settings, then those settings will take effect. These GPOs, once created, are applied in a standard order:
LSDOU, which stands for (1) Local, (2) Site, (3) Domain, (4) OU