Exam MD-100 topic 16 question 1 discussion

N,N,Y The file D:\Folder1\Report.docx is located on Computer1. User1 and User2 have full control permissions to D:\Folder1\Report.docx. The Local Computer Policy for Computer1 is configured to audit any successfull object access. Faled access attempts are not audited at all. Audit is only generated for objects that have system access control lists (SACL) specified, and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL. The SACL of D:\Folder1\Report.docx has an entry that audits successfull read attempts for members of Group2 only. Any other access will not be audited. User1 is not a member of Group2. Object access of User1 is not audited. User2 is a member of Group2. Any read attempts of User2 will be audited.

The answers are YES YES YES - Very difficult question. You really need to learn what is happening here. Events are generated when the attempts success setting is enabled. Events are generated with Event ID 4656 and 4658. Now, as there is an audit correctly configured for User2, the events generated will be 4663 indicating the exact file that was opened by User2. Event ID 4663 generates the following message: “An attempt was made to access an object.” Event ID 4656 generates the following message: “A handle to an object was requested.” Event ID 4658 generates the following message: “The handle to an object was closed.” Another important note is that the Audit object access policy with Success enabled generates security logs for any file. Just open the file and logs with Event ID 4656 and 4658 will be generated.

In all three questions, the user action will be successful. The question asks if it will generate an event. D:\Folder1\Report.docx has an *explicit* rule for *failure* for Group1. D:\Folder1\Report.docx has an *no* rule for *success* for Group1. Local group policy has a rule for Success for all groups. This should apply when no explicit rule applies, which is the case. D:\Folder1\Report.docx has an *explicit* rule for *success* for Group2. Since all user actions are successful, I'm thinking it's Y,Y,Y.

Answer is correct. GPO overrules file-specific Audi Object Access policy. As the GPO for Computer 1 has recording access Success enabled and access Failure disabled, only successful read/write actions on D:\Folder\Report.docx will be recorded. The actions described in the questions all result in successes, meaning no Audit Object Access event is created. User 1 (Group 1, full control) > Read = Success User 1 (Group 1, full control) > Write = Success User 2 (Group 2, allow read, deny write) > Read = Success So the answer is Yes, Yes, Yes.