PrepAway - Latest Free Exam Questions & Answers

You need to ensure that any time an administrator modifies an employee’s name in AD DS, the change is au

A corporate network includes a single Active Directory Domain Services (AD DS) domain.
All regular user accountsreside in an organizational unit(OU) named Employees.
All administrator accounts reside in an OUnamed Admins.
You need to ensure that any time an administrator modifies an employee’s name in AD DS, the change
is audited.
What should you do first?

PrepAway - Latest Free Exam Questions & Answers

A.
Enable the Audit directory service accesssetting in the Default Domain Controllers Policy Group Policy
Object.

B.
Create a Group Policy Object with the Audit directory service accesssetting enabled and link it to the
Employees OU.

C.
Enable the Audit directory service accesssetting in the Default Domain Policy Group Policy Object.

D.
Modify the searchFlagsproperty for the User class in the schema.

Explanation:
Same question as J/Q7, different set of answers.
To audit changes made to objects in AD DS we have to use Directory Service Changesauditing, which
indicates the old and new values of the changed properties of the objects that were changed. Directory
Service Changesauditing is a subcategoryof Audit directory service access, and is not enabled by default.
To use it we have to enable it first, and we can dothat specifically for Directory Service Changesby using
auditpol.exe, or we can use Group Policy Managementto enable Audit directory service access, which
enables all subcategories, including Directory Service Changes. You do this by modifying the Default
Domain Controllers Policy.
Reference:
http://technet.microsoft.com/en-us/library/cc731607.aspx
In Windows 2000 Server and Windows Server 2003, there was one audit policy, Audit directory service access,
that controlled whether auditing for directory service events was enabled or disabled. In Windows Server 2008,
this policy is divided into four subcategories:
Directory Service Access
Directory Service Changes
Directory Service Replication
Detailed Directory Service Replication
This step includes procedures to enable change auditing with either the Windows interface or a
command line:
By using Group Policy Management, you can turn on the global audit policy, Audit directory service access,
which enables all the subcategoriesfor AD DS auditing.
To enable the global audit policy using the Windowsinterface
1. Click Start, point to Administrative Tools, and then Group Policy Management.
2. In the console tree, double-click the name of theforest, double-click Domains, double-click the name of your
domain, double-click Domain Controllers, right-click Default Domain Controllers Policy, and then click
Edit.
3. Under Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security
Settings, double-click Local Policies, and then click Audit Policy.
4. In the details pane, right-click Audit directory service access, and then click Properties.
5. Select the Define these policy settings check box.
6. Under Audit these attempts, select the Success, check box, and then click OK.


Leave a Reply