What should you recommend?

Your network contains an Active Directory forest named contoso.com. The forest contains
one domain.
Your company plans to open a new division named Division1. A group named
Division1Admins will administer users and groups for Division1.
You identify the following requirements for Division1:
All Division1 users must have a complex password that is 14 characters.
Division1Admins must be able to manage the user accounts for Division1.
Division1Admins must be able to create groups, and then delete the groups that they create.
Division1Admins must be able to reset user passwords and force a password change at the
next logon for all Division1 users.
You need to recommend changes to the forest to support the Division1 requirements.
What should you recommend?
More than one answer choice may achieve the goal. Select the BEST answer.

Your network contains an Active Directory forest named contoso.com. The forest contains
one domain.
Your company plans to open a new division named Division1. A group named
Division1Admins will administer users and groups for Division1.
You identify the following requirements for Division1:
All Division1 users must have a complex password that is 14 characters.
Division1Admins must be able to manage the user accounts for Division1.
Division1Admins must be able to create groups, and then delete the groups that they create.
Division1Admins must be able to reset user passwords and force a password change at the
next logon for all Division1 users.
You need to recommend changes to the forest to support the Division1 requirements.
What should you recommend?
More than one answer choice may achieve the goal. Select the BEST answer.

A.
In the forest create a new organizational unit (OU) named Division1 and delegate
permissions for the OU to the Division1Admins group. Move all of the Division1 user
accounts to the new OU. Create a fine-grained password policy for the Division1 users.

B.
Create a new child domain named divisionl.contoso.com. Move all of the Division1 user
accounts to the new domain. Add the Division1Admin members to the Domain Admins
group. Configure the password policy in a Group Policy object (GPO).

C.
Create a new forest. Migrate all of the Division1 user objects to the new forest and add
the Division1Admins members to the Enterprise Admins group. Configure the password
policy in a Group Policy object (GPO).

D.
In the forest create a new organizational unit (OU) named Division1 and add
Division1Admins to the Managed By attribute of the new OU. Move the Division1 user
objects to the new OU. Create a fine-grained password policy for the Division1 users.



Leave a Reply 3

Your email address will not be published. Required fields are marked *


Frousse

Frousse

I think best answer is B

A fine-grained password policy cannot be applied directly to an OU, but the user accounts have to be added to a shadow group for the policy to apply.

So, if you add new users, you will have to manually add them into the shadow group for the policy to apply. I think it’s not the best answer because of this.

Creating a new child domain and configure password policy via GPO seems a best approach for me because it will be easy to add new users in Division1 in the future.

jimilives

jimilives

Given Answer is correct.

The question doesn’t say it’s applying a fine-grained password policy to the OU, it says it’s applying to the “Division1 Users”. Creating a child domain for this task is NOT the way it’s done in the real world nor is it the way it’s done by MS best practices.

Doing what it said would take all of 10 min to accomplish. Any other answer is WAY over-engineering a solution to a simple problem. Except choice D:… you don’t used Managed By in that way.

SVN

SVN

I think right answer is A, GPO will not be applied to OU, Fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead of user objects) and global security groups.