Your network contains an Active Directory domain named contoso.com. The domain
contains an organizational unit (OU) named IT and an OU named Sales.
All of the help desk user accounts are located in the IT OU. All of the sales user accounts
are located in the Sales OU. The Sales OU contains a global security group named
G_Sales. The IT OU contains a global security group named G_HelpDesk.
You need to ensure that members of G_HelpDesk can perform the following tasks:
Reset the passwords of the sales users.
Force the sales users to change their password at their next logon.
What should you do?
A.
Run the Set-ADAccountPasswordcmdlet and specify the -identity parameter.
B.
Right-click the Sales OU and select Delegate Control.
C.
Right-click the IT OU and select Delegate Control.
D.
Run the Set-ADFineGrainedPasswordPolicycmdlet and specify the -identity parameter.
Explanation:
G_HelpDesk members need to be allowed to delegate control on the Sales OU as it contains
the sales users (G_Sales)
You can use the Delegation of Control Wizard to delegate the Reset Password permission to
the delegated user.http: //support. microsoft. com/kb/296999/en-us
http: //support. microsoft. com/kb/296999/en-us
http: //technet. microsoft. com/en-us/library/cc732524. aspx
Why is it the Sales OU and not the IT OU?
i am wondering the same thing
Because when you delegate control, you’re giving the group you specify the rights you choose to the OU you’re selecting.
You want to allow the IT group to change settings for the users in the sales OU. Delegating the IT OU would only allow the IT group to change IT user passwords.
I think you’re understanding the process backwards. Delegating is property of the OU, not the group.
because you set what you want to control not who’s controling
B