You are designing an Active Directory forest for a company named Contoso, Ltd. Contoso
identifies the following administration requirements for the design:
User account administration and Group Policy administration will be performed by network
technicians. The technicians will be added to a group named OUAdmins.
IT staff who are responsible for backing up servers will have user accounts that are
members of the Backup Operators group in the domain.
All user accounts will be located in an organizational unit (OU) named AllEmployees.
You run the Delegation of Control Wizard and assign the OUAdmins group full control to all
of the objects in the AllEmployeesOU.
After delegating the required permissions, you discover that the user accounts of some of
the IT staff have inconsistent permissions on the objects in AllEmployees.
You need to recommend a solution to ensure that the members of OUAdmins can manage
all of the objects in AllEmployees.
What should you include in the recommendation?
A.
Remove the IT staff user accounts from Backup Operators and place them in a new
group. Grant the new group the Backup files and directories user right and the Restore files
and directories user right. Enforce permission inheritance on all of the objects in the
AllEmployeesOU.
B.
Create separate administrator user accounts for the technicians. Enforce permission
inheritance on all of the objects in the AllEmployeesOU. Delegate permissions to the new
useraccounts.
C.
Enforce permission inheritance on all of the objects in the AllEmployeesOU. Run the
Delegation of Control Wizard.
D.
Move the user accounts of the technicians to a separate OU. Enforce permission
inheritance on all of the objects in the AllEmployeesOU. Run the Delegation of Control
Wizard on the AllEmployeesOU.
Premium file has answer as C which I think is correct.
Why would you want to create an additional admin account for each of the technicians !?!?
The right answer is B — the answer to the question is probably C.
Best practice indicates admin accounts should be separate from user accounts but this question is always looking for the best way to do what was described which should be C.
This is a weird question. There is a problem with the IT-staff accounts, not the technicians. IT-staff is a member of a group that is protected by AdminSDHolder (Backup Operators), causing this issue. Solution would be to create separate admin accounts for IT-staff, not technicians. B indeed comes closest to the right solution, but the mixup between technicians and IT-staff makes this question very confusing. If you rename technicians to IT-staff in answer B, then it’s the right answer.
Maybe Im not thinking straight on this one but if the IT Staff are members of the Backup Operators group and that group is protected by AdminSDHolder (and SDPROP to be precise) but you wish to give them Delegated Rights on an OU for User and GPO administration only then using answer B as the solution will give them elevated privileges
If you use answer A the users will still have their backup rights and when the delegated permissions are reapplied to the OU, AdminSDHolder will not find the accounts as members of the protected Backup Operators group any longer and will do nothing. Thus leaving the accounts with the limited delegated rights required
IMO the answer is A
The correct answer must be related to the Delegation of Control Wizard.
So either C or D.
Forget my previous comment, James is right!
The correct answer is A
It’s all about AdminSDHolder
https://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx
You guys are correct, answer is A. But it’s leaving out an important attribute you need to modify. Once a domain user is added to a builtin group, the AdminSDHolder takes over and the PDC will re-write the permissions every hour or so. But the admincount attribute for the user is set to 1. You can remove the user from the Backup Operators group, but the AdminSDHolder still comes and annoys the hell out of you.
I had to personally deal with this “admincount 1” crap. You gotta set it back to 0 or not set after you remove the user from the builtin backup operators group.
Also yes, never add a domain user account to a builtin group.
Thuis question is confusing. They ask you for a specificaties recommendation: You need to recommend a solution to ensure that the members of OUAdmins can manage
all of the objects in AllEmployees.
What should you include in the recommendation?
Nothing More is asked. So answer C.
Or we could recommend someone who has a basic idea how permissions work to take a look. According to your logic this would fit just nicely in the recommendations, don’t you think?
A is the only one that makes any sense. Stop learning idiotic information by heart from these dumps! They are not a source of knowledge, but a way to train what you’ve already learned. If you have no friggin clue how permissions work, at least, out of basic human decency do NOT perpetuate wrong information!
As the others have indicated, A is the right answer and it’s because of the AdminSDHolder. From Mark’s URL, “However, when the background process runs on the domain controller that holds the PDC Emulator operations master role—by default, every 60 minutes—the ACL is overwritten to match the ACL on the AdminSDHolder object and inheritance is disabled.”
This is why the other’s won’t work. You cannot ensure the member of OUAdmins can manage that group with C or D. B would be the right answer if it said a separate administrator user acount for the IT Staff, which as Ricky points out is what you should be doing anyway.