Your network contains an Active Directory forest named contoso.com. The forest functional level is Windows
Server 2012 R2. The forest contains a single domain.
You create a Password Settings object (PSO) named PSO1.
You need to delegate the rights to apply PSO1 to the Active Directory objects in an organizational unit named
OU1.
What should you do?
A.
From Active Directory Users and Computers, run the Delegation of Control Wizard.
B.
From Active Directory Administrative Center, modify the security settings of PSO1.
C.
From Group Policy Management, create a Group Policy object (GPO) and link the GPO to OU1.
D.
From Active Directory Administrative Center, modify the security settings of OU1.
Explanation:
PSOs cannot be applied to organizational units (OUs) directly. If your users are organized into OUs, consider
creating global security groups that contain the users from these OUs and then applying the newly defined
finegrained password and account lockout policies to them. If you move a user from one OU to another, you
must update user memberships in the corresponding global security groups.
Go ahead and hit “OK” and then close out of all open windows. Now that you have created a password policy,
we need to apply it to a user/group. In order to do so, you must have “write” permissions on the PSO object.
We’re doing this in a lab, so I’m Domain Admin. Write permissions are not a problem
1. Open Active Directory Users and Computers (Start, point to Administrative Tools, and then click Active
Directory Users and Computers).
2. On the View menu, ensure that Advanced Features is checked.
3. In the console tree, expand Active Directory Users and Computers\yourdomain\System\Password Settings
Container
4. In the details pane, right-click the PSO, and then click Properties.
5. Click the Attribute Editor tab.
6. Select the msDS-PsoAppliesTo attribute, and then click Edit.
Will someone please confirm?
the msDS-PsoAppliesTo attribute is what dictates who the pso is APPLIED to, not who has the authority TO apply. The Explanation is wrong
However the answer is correct.
*By default, only users in the Domain Admins group has Write Permissions to a PSO. Therefore, only Domain Admins have the ability to apply a PSO to a user or Security Group*
To delagate ability to apply a PSO, they must either be added to Domain Admins group, or they must be given the WRITE setting, which is done in the Security settings of PSO.
You do not have to have permissions on the user object or group object to be able to apply a PSO to it. (making C, D, and A incorrect) To apply a PSO to the user object or group object, you must have Write permissions on the PSO object. https://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx