Your network contains an Active Directory domain named contoso.com. The domain contains a server named
Server1 that runs Windows Server 2012 R2. Server1 has the Remote Access server role installed.
You log on to Server1 by using a user account named User2.
From the Remote Access Management Console, you run the Getting Started Wizard and you receive a warning
message as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that you can configure DirectAccess successfully. The solution must minimize the number
of permissions assigned to User2.
To which group should you add User2?
A.
Enterprise Admins
B.
Administrators
C.
Account Operators
D.
Server Operators
Explanation:
You must have privileges to create WMI filters in the domain in which you want to create the filter.
Permissions can be changed by adding a user to the Administrators group.
Administrators (A built-in group)
After the initial installation of the operating system, the only member of the group is the Administrator
account. When a computer joins a domain, the Domain Admins group is added to the Administrators group.
When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators
group. The Administrators group has built-in capabilities that give its members full control over the system.
The group is the default owner of any object that is created by a member of the group.
This example logs in as a test user who is not a domain user or an administrator on the server. This results in
the error specifying that DA can only be configured by a user with local administrator permissions.
Ref: http://technet.microsoft.com/en-us/library/cc780416(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc775497(v=ws.10).aspx
Typo: Option B should be “Domain Administrators”
If the awnsers dont have errors, i go for A
You must have privileges to create WMI filters in the domain in which you want to create the filter. By default, the Domain Administrators, Enterprise Administrators, and Group Policy Creator Owners groups have this permission.
https://technet.microsoft.com/en-us/library/cc770562.aspx
if you use the domain group named just “administrators” then WMI filtering and GPOs also can be administered, I just verified in my lab. the problem is that the question states you are working on a member server rather than on a domain controller. So it is not clear if they are talking about the server’s local group “Administrators” or the domain group…?! :-/
But I tend to use “Administrators” rather than “Enterprise Admins”
Server Admin is right, B should be Domain Administrators.
Admins who deploy a Remote Access server require local administrator permissions on the server and domain user permissions. In addition, the administrator requires permissions for the GPOs that are used for DirectAccess deployment. To take advantage of the features that restrict DirectAccess deployment to only mobile computers, Domain Admin permissions are required on the domain controller to create a WMI filter.
https://technet.microsoft.com/en-us/library/Hh831539.aspx
I’ve seen the question asked with Domain Admins or administrators. Both are right since Domain Admins will also be local admins on a member server.
http://download.microsoft.com/download/1/8/C/18C99EDF-BB2A-4160-AE6D-2C447620663E/Module%203%20-%20Technical%20Overview.pdf
The account used must also be a member of the Account Operators group, Domain Admins
group, or the Enterprise Admins group in Active Directory, or it must have been delegated the
appropriate authority needed to create security groups in Active Directory.
DirectAccess configuration can be completed only by a domain user who has local
administrator rights on the DirectAccess server.
User2 needs at least be a member of Domain Admins.
https://technet.microsoft.com/en-us/library/jj899801.aspx
So the only possible answer here is A. (I would not choose B. because it is not enough)
Remember that this wizard will auto create the necessary GPO’s(if you choose to do so).
Account Operators in the Answer since the question says it must minimize the number of permissions assigned to User 2. All those User Accounts can be used but Account Operators gives User 2 the least permission for the task at hand.
I saw some choose Account Operator as answer. I do not understand the logic of this choice. Someone can explain why?
Account and Server Ops dont even exist. Ignore those.
The answer is Domain Admins, and if Domain Admins is not present in the answers, then it’s Enterprise Admins.
Local Administrators is WRONG.