- 6 переглядів
Overview
Contoso, Ltd. is a company that has a main office in Seattle and two branch offices in Los Angeles and Montreal.
Existing Environment
AD DS Environment
The network contains an on premises Active Directory Domain Services (AD DS) forest named contoso.com. The forest contains two domains named contoso.com and canada.contoso.com.
The forest contains the domain controllers shown in the following table.
All the domain controllers are global catalog servers.
Server infrastructure
The network contains the servers shown in the following table.
A server named Server4 runs Windows Server and is in a workgroup. Windows Firewall on Server4 uses the private profile.
Server2 hosts three virtual machines named VM1, VM2, and VM3.
VM3 is a file server that stores data in the volumes shown in the following table.
Group Policies
The contoso.com domain has the Group Policies Objects (GPOs) shown in the following table.
Existing Identities
The forest contains the users shown in the following table.
The forest contains the groups shown in the following table.
Current Problems
When an administrator signs in to the console of VM2 by using Virtual Machine Connection, and then disconnects from the session without signing out, another administrator can connect to the console session as the currently signed in user.
Requirements
Technical Requirements
Contoso identifies the following technical requirements:
- Change the replication schedule for all site links to 30 minutes.
- Promote Server1 to a domain controller in canada.contoso.com.
- Install and authorize Server3 as a DHCP server.
- Ensure that User1 can manage the membership of all the groups in Contoso\OU3.
- Ensure that you can manage Server4 from Server1 by using PowerShell remoting.
- Ensure that you can run virtual machines on VM1.
- Force users to provide credentials when they connect to VM2.
- On VM3, ensure that Data Deduplication on all volumes is possible.
You need to meet the technical requirements for User1. The solution must use the principle of least privilege.
What should you do?
- A. Add Users1 to the Server Operators group in contoso.com.
- B. Create a delegation on contoso.com.
- C. Add Users1 to the Account Operators group in contoso.com.
- D. Create a delegation on OU3.
- D. Create a delegation on OU3.
The suggested answer is correct
- Requirement: Ensure that User1 can manage the membership of all the groups in Contoso\OU3.
- Question: You need to meet the technical requirements for User1. The solution must use the principle of least privilege.
- Answer: D. Create a delegation on OU3.
prepper666
Highly Voted 2 years, 5 months ago
D is correct
upvoted 8 times
GoforIT21
2 years, 4 months ago
Yeah, doing anything with a scope of contoso.com will violate the principle of least privilege here...
upvoted 4 times
syu31svc
Most Recent 1 year, 8 months ago
Selected Answer: D
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/delegating-administration-by-using-ou-objects
You can use organizational units (OUs) to delegate the administration of objects, such as users or computers, within the OU to a designated individual or group "principle of least privilege" so answer is D
upvoted 2 times
empee1977
1 year, 9 months ago
Selected Answer: D
Create a delegation on OU3 would be the best option to meet the requirement for User1 to manage the membership of all the groups in Contoso\OU3 while following the principle of least privilege. Delegation allows you to assign specific administrative tasks to users or groups without granting them full control over the object.
upvoted 3 times
johosofat
2 years ago
Selected Answer: D
the delegation wizzard is pretty easy- bummer for folks that run core ! :-) D is correct granularity is great there
upvoted 2 times
Jawad1462
2 years, 1 month ago
Selected Answer: D
Is the correct answer as we are working with least privileges
upvoted 1 times
xrisimix
2 years, 2 months ago
In order to change a "group member", you need to have permissions to change "member of" of affected user or group. So delegation to OU of groups is not enough. B should be correct.
upvoted 1 times
WMG
2 years, 3 months ago
Selected Answer: D
When you delegate to an OU you can be extremly granular, so D) is correct. C) Account Operators also has an interesting side effect, it allows Local Login on Domain Controllers. Great for least privilege!
upvoted 3 times