What should you recommend?

Your network consists of a single Active Directory domain. The network includes a branch office
named Branch1. Branch1 contains a Read only Domain Controller (RODC) named Server1. A global
group named Branch1admins contains the user accounts for administrators. Administrators manage
the client computers and servers in Branch1. You need to recommend a solution for delegating
control of Server1. Your solution must meet the following requirements:
• Allow the members of the Branch1admins group to administer Server1 including, change
device drivers and install operating system updates by using Windows Update.
• Provide the Branch1admins group rights on Server1 only.
• Prevent Branch1admins group from modifying Active Directory objects.
What should you recommend?

Your network consists of a single Active Directory domain. The network includes a branch office
named Branch1. Branch1 contains a Read only Domain Controller (RODC) named Server1. A global
group named Branch1admins contains the user accounts for administrators. Administrators manage
the client computers and servers in Branch1. You need to recommend a solution for delegating
control of Server1. Your solution must meet the following requirements:
• Allow the members of the Branch1admins group to administer Server1 including, change
device drivers and install operating system updates by using Windows Update.
• Provide the Branch1admins group rights on Server1 only.
• Prevent Branch1admins group from modifying Active Directory objects.
What should you recommend?

A.
Add the Branch1admins global group to the Server Operators builtin local group.

B.
Add the members of the Branch1admins global group to the Administrators builtin local group of
Server1.

C.
Grant Full Control permission on the Server1 computer object in the domain to the
Branch1admins group

D.
Move the Server1 computer object to a new organizational unit (OU) named Branch1servers.
Grant Full Control permission on the Branch1servers OU to the Branch1admins group.

Explanation:

http ://technet.microsoft.com/en-us/library/cc753223%28WS.10%29.aspx
Administrator role separation
Administrator role separation specifies that any domain user or security group can be delegated to
be the local administrator of an RODC without granting that user or group any rights for the domain
or other domain controllers. Accordingly, a delegated administrator can log on to an RODC to
perform maintenance work, such as upgrading a driver, on the server. But the delegated
administrator is not able to log on to any other domain controller or perform any other
administrative task in the domain. In this way, a security group that comprises branch users, rather
than members of the Domain Admins group, can be delegated the ability to effectively manage the
RODC in the branch office, without compromising the security of the rest of the domain.



Leave a Reply 0

Your email address will not be published. Required fields are marked *