Exam
Answer confirmed
Question
You have an Azure Active Directory Domain Services (Azure AD DS) domain named contoso.com.
You need to provide an administrator with the ability to manage Group Policy Objects (GPOs). The solution must use the principle of least privilege.
To which group should you add the administrator?
Proposed answer
- A. AAD DC Administrators
- B. Domain Admins
- C. Schema Admins
- D. Enterprise Admins
- E. Group Policy Creator Owners
Suggested answer
A. AAD DC Administrators
Correct answer
The suggested answer is correct
Prerequisites
To complete this article, you need the following resources and privileges:
- An active Azure subscription.
- If you don't have an Azure subscription, create an account.
- A Microsoft Entra tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory.
- A Microsoft Entra Domain Services managed domain enabled and configured in your Microsoft Entra tenant.
- If needed, complete the tutorial to create and configure a Microsoft Entra Domain Services managed domain.
- A Windows Server management VM that is joined to the Domain Services managed domain.
- If needed, complete the tutorial to create a Windows Server VM and join it to a managed domain.
- A user account that's a member of the AAD DC Administrators group in your Microsoft Entra tenant.
Nilz76
Highly Voted 2 years, 6 months ago
Selected Answer: A
Settings for user and computer objects in Azure Active Directory Domain Services (Azure AD DS) are often managed using Group Policy Objects (GPOs). Azure AD DS includes built-in GPOs for the AADDC Users and AADDC Computers containers. You can customize these built-in GPOs to configure Group Policy as needed for your environment. ANSWER (A): Members of the Azure AD DC administrators group have "Group Policy administration privileges in the Azure AD DS domain, and can also create custom GPOs and organizational units (OUs). "
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/manage-group-policy
upvoted 28 times
prepper666
Highly Voted 2 years, 6 months ago
Answer is A. Question states Azure ADDS not On-premise. Read the question carefully
upvoted 11 times
SIAMIANJI
Most Recent 2 months, 2 weeks ago
Selected Answer: A
To ensure the administrator can manage Group Policy Objects (GPOs) in Azure Active Directory Domain Services (Azure AD DS) while adhering to the principle of least privilege, follow these steps: Add the Administrator to the “AAD DC Administrators” Group: The AAD DC Administrators group is specifically designed for managing Azure AD DS. By adding the administrator to this group, you grant them the necessary permissions to manage GPOs without granting excessive privileges. This approach aligns with the principle of least privilege, ensuring that the administrator has only the required permissions for GPO management.
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models
upvoted 2 times
Bolo92
1 year ago
valid 27.11.23
upvoted 2 times
ahenriquez02
1 year, 3 months ago
A The "AAD DC Administrators" group is specifically designed to grant administrative privileges for Azure AD DS domain controllers. Members of this group have the permissions necessary to manage various aspects of the domain, including Group Policy Objects.
upvoted 1 times
pass601
1 year, 6 months ago
A is CORRECT ANSWER
upvoted 1 times
Jcbrow27
1 year, 8 months ago
The correct answer is A https://learn.microsoft.com/es-es/azure/active-directory-domain-services/manage-group-policy
upvoted 2 times
syu31svc
1 year, 8 months ago
Selected Answer: A
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/manage-group-policy Members of the Azure AD DC administrators group have Group Policy administration privileges in the Azure AD DS domain, and can also create custom GPOs and organizational units (OUs). Answer is A
upvoted 1 times
Fakecon
1 year, 9 months ago
Here is from Microsoft: You don't have Domain Administrator or Enterprise Administrator permissions on a managed domain using Azure AD DS. These permissions are reserved by the service and aren't made available to users within the tenant. AAD DC Administrators: administration group on domain-joined VMs, and configuring Group Policy.
upvoted 2 times
miki345
1 year, 10 months ago
AAD DC Administrators . Answer is A. https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance-advanced Instead, the AAD DC Administrators group lets you perform some privileged operations. These operations include belonging to the administration group on domain-joined VMs, and configuring Group Policy.
upvoted 2 times
Robert69
1 year, 11 months ago
If question 6 (this topic) is AAD DC Administrators, then the answer here is also AAD DC Administrators.
upvoted 2 times
22Gaspar
2 years, 4 months ago
A resposta correta é a B
upvoted 4 times
plmmsg
2 years, 5 months ago
Selected Answer: A
AAD DC Administrators
upvoted 7 times
odbjegli
2 years, 7 months ago
Q:....provide an administrator ability to manage GPOs. Being a member of the Group Policy Creator Owners group gives the non-administrator full control of only the GPOs that the user creates. Group Policy Creator Owner members do not have permissions for GPOs that they do not create. So the admin from this question will not be able to manage already set GPOs. There are no Enterprise or Domain admin accounts in Azure AD DS. Instead, there is a group called AAD DC Administrators used to manage Azure AD DS. Accounts in this group have rights such as local administrator on member servers and administrative rights required to manage Azure AD DS. Prerequisite for Azure AD DS Group Policy Objects: A user account that’s a member of the Azure AD DC administrators group in your Azure AD tenant.
upvoted 1 times
certmonk
2 years, 7 months ago
Answer E: Group policy creator owner should be the correct answer. Least privilege is required. A Group policy creator owner group member can create, delete and link gpos to OUs
upvoted 1 times
AnonymousJhb
2 years, 6 months ago
incorrect. with this role u can only edit the gpos that you created. and u cannot link your gpo to any containers. too restrictive for management.
upvoted 2 times
RuiAbel
2 years, 7 months ago
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/manage-group-policy#open-the-group-policy-management-console-and-edit-an-object
upvoted 2 times
odbjegli
2 years, 7 months ago
Selected Answer: A
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/manage-group-policy
upvoted 3 times
olnn
2 years, 7 months ago
answer A:
upvoted 4 times
Scoff
2 years, 7 months ago
Selected Answer: A
A - AAD DC Administrators
upvoted 4 times
examcrammer
2 years, 7 months ago
Answer E. Group Policy Creator/Owners can create and then manage any of their created objects. They cannot link them. To link, you must be a Domain admin or Enterprise Admin. The real question is, what is being asked. To manage a GPO does not necessarily mean to link it, just manage the settings. I will answer E on the exam. If you must, choose Domain Admins, as Enterprise Admins is providing way too many permissions.
upvoted 2 times
blacknurse
2 years, 7 months ago
This won' be correct as the Group Policy Creator/Owners can only edit or delete GPOs that they have created. Therefore, from a management perspective they won't fulfill this responsibility.
upvoted 1 times
blacknurse
2 years, 7 months ago
I will go with AAD DC Administrators as this group have Group Policy administration privileges in the Azure AD DS domain instead of Domain Admins where is far wider.
upvoted 1 times
Vmwarevirtual
2 years, 7 months ago
The answer should be A - To administer group policy in a managed domain, you must be signed in to a user account that's a member of the AAD DC Administrators group. https://docs.microsoft.com/en-us/azure/active-directory-domain-services/manage-group-policy#open-the-group-policy-management-console-and-edit-an-object
upvoted 4 times
Nemanjab011
2 years, 7 months ago
I will go with Domain Admins rather then enterprise admins
upvoted 3 times
VinoTee
2 years, 6 months ago
Domain Admin is for On-Premises. AAD DC Administrator is the same as Domain Admin, BUT it's built for AZURE AD and NOT for On-Premises. So the correct answer should be A. AAD DC Administrators
upvoted 2 times