Exam SY0-501 topic 1 question 1053 discussion

Following standard naming conventions for audit group users may help in organizing and identifying users within audit groups, but it doesn't directly address the issue of preserving audit log integrity or enhancing accountability as effectively as applying least privilege.

Audit group needs read only permission, function group needs change permission. Mix together hurts the least privilege.

Several users who belong to functional groups and groups responsible for auditing the functional groups actions -> these users could audit their own accounts and maybe change something and then remove the trace -> damage the integrity of the log How could standard naming convention avoid this? I think a more reasonable way is to remove these users from the audit group so that they couldn't audit their own accounts anymore -> deprive some of their permissions/privileges so that the integrity of the audit log can be preserved. And the closest option we have seems like to be B - apply the least privilege

A standard naming convention allows better administrative control over network resources. The naming strategy should allow administrators to identify the type and function of any particular resource or location at any point in the directory information tree. Using Active Directory as an example, one of the first decisions is to determine how your AD namespace will integrate with your public DNS records. For example, you may make the AD namespace a delegated subdomain of your public DNS domain name (for example, ad.widget.com). This solution isolates AD from the public Internet and means that the DNS servers supporting the public domain name (widget.com) do not need to support Active Directory. User account names are usually either based on the firstname.lastname format (bob.dobbs), or a combination of first or first and second initial with lastname (jrdobbs). Accounts should be named in a consistent manner. This helps facilitate management of accounts, especially through scripting and command-line usage. You should also refrain from naming accounts based on nicknames or common words so as not to anonymize users.

C is more right than the others. Biggest issue is outages not being able to trace to any user. For this review of permissons, the security analyst must be seeing something wrong in the naming conventions or why the group permissions are overlapping this way. I eliminate least privelegd because I assume least priveledge is already implemented and still have outtages. I also eliminate D 'cause service accounts are for machine2machines not people..

vote for B

"users who belong to functional groups and groups responsible for auditing the functional groups' actions", need to apply least privilege here.

Also vote for D

Shouldn't it be D?