PrepAway - Latest Free Exam Questions & Answers

You need to ensure that any time an administrator modifies an employee’s name in AD DS, the change is au

A corporate network includes a single Active Directory Domain Services (AD DS) domain. All regular user
accounts reside in an organisational unit (OU) named Employees. All administrator accounts reside in an OU
named Admins.
You need to ensure that any time an administrator modifies an employee’s name in AD DS, the change is
audited.
What should you do first?

PrepAway - Latest Free Exam Questions & Answers

A.
Create a Group Policy Object with the Audit directory service accesssetting enabled and link it to the
Employees OU.

B.
Modify the searchFlagsproperty for the Name attribute in the Schema.

C.
Create a Group Policy Object with the Audit directory service accesssetting enabled and link it to the
Admins OU.

D.
Use the Auditpol.exe command-line tool to enable the directory service changesauditing subcategory.

Explanation:
Same question as J/Q37, different set of answers.
Before we can use the Directory Service Changesaudit policy subcategory, we have to enableit first. We can
do that by using auditpol.exe.
Reference:
http://technet.microsoft.com/en-us/library/cc731607.aspx
Auditing changes to objects in AD DS
In Windows 2000 Server and Windows Server 2003, there was one audit policy, Audit directory service access,
that controlled whether auditing for directory service events was enabled or disabled. In Windows Server 2008,
this policy is divided into four subcategories:
Directory Service Access
Directory Service Changes
Directory Service Replication
Detailed Directory Service Replication
The ability to audit changes to objects in AD DS isenabled with the new audit policy subcategory Directory
Service Changes. This guide provides instructions for implementingthis audit policy subcategory.
The types of changes that you can audit include a user (or any security principal) creating, modifying, moving,
or undeleting an object. The new audit policy subcategory adds the following capabilities to auditing in AD DS:
When a successful modify operation is performed on an attribute, AD DS logs the previous and current
values of the attribute. If the attribute has more than one value, only the values that change as a result of the
modify operation are logged.
(…)
Steps to set up auditing
This section includes procedures for each of the primary steps for enabling change auditing:
Step 1: Enable audit policy.
Step 2: Set up auditing in object SACLs by using Active Directory Users and Computers.
Step 1: Enable audit policy.
This step includes procedures to enable change auditing with either the Windows interface or a commandline:
(…)
By using the Auditpolcommand-line tool, you can enable individual subcategories.
To enable the change auditing policy using a command line
1. Click Start, right-click Command Prompt, and thenclick Run as administrator.
2. Type the following command, and then press ENTER:
auditpol /set /subcategory:”directory service changes” /success:enable


Leave a Reply