What should you recommend?

Your network consists of a single Active Directory domain. The network includes a branch office named
Branch1
Branch1 contains a Readonly Domain Controller (RODC) named Server1.
A global group named Branch1admins contains the user accounts for administrators. Administrators manage
the client computers and servers in Branch1.
You need to recommend a solution for delegating control of Server1.
Your solution must meet the following requirements:
Allow the members of the Branch1admins group to administer Server1 including, change device drivers and
install operating system updates by using Windows Update.
Provide the Branch1admins group rights on Server1 only.
Prevent Branch1admins group from modifying Active Directory objects.
What should you recommend?

Your network consists of a single Active Directory domain. The network includes a branch office named
Branch1
Branch1 contains a Readonly Domain Controller (RODC) named Server1.
A global group named Branch1admins contains the user accounts for administrators. Administrators manage
the client computers and servers in Branch1.
You need to recommend a solution for delegating control of Server1.
Your solution must meet the following requirements:
Allow the members of the Branch1admins group to administer Server1 including, change device drivers and
install operating system updates by using Windows Update.
Provide the Branch1admins group rights on Server1 only.
Prevent Branch1admins group from modifying Active Directory objects.
What should you recommend?

A.
Add the Branch1admins global group to the Server Operators builtin local group.

B.
Add the members of the Branch1admins global group to the Administrators builtin local group of Server1.

C.
Grant Full Control permission on the Server1 computer object in the domain to the Branch1admins group

D.
Move the Server1 computer object to a new organizational unit (OU) named Branch1servers. Grant Full
Control permission on the Branch1servers OU to the Branch1admins group.

Explanation:
ADMINISTRATOR ROLE SEPARATION
ARS is an RODC feature that domain administrators can delegate a user or a security group as the local
administrator for installation and administration of RODC, without granting them any additional rightsin the
domain.
To specify a delegated RODC administrator,
During RODC installation, setting up the account in
1. Active Directory Domain Services Installation Wizard
2. dcpromo command with the parameter /DelegatedAdmin.
3. In an answer file (adding the parameter /DelegatedAdmin).
After installation of RODC,
1. In the Active Directory Users and Computers snap-in, modify the Managed By tab of the RODC account
properties
2. Use ntdsutil local roles command (not recommended as information is saved locally on the RODC).
3. Use dsmgmt local roles command (not recommended as information is saved locally on the RODC).
http://technet.microsoft.com/en-us/library/cc755310(v=WS.10).aspx

Show Hint

Leave a Reply 0

Your email address will not be published. Required fields are marked *