You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory forest, which contains three domains named contoso.com, region1.contoso.com, and region2.contoso.com.
All the servers on the network run Windows Server 2008 and all client computers run Windows Vista. The functional level of the three domains is Windows Server The company contains a helpdesk team, which is a part of the Account Operators group in the contoso.com domain. The members of helpdesk team frequently join and leave the helpdesk team. The helpdesk employees have all the permissions to modify the properties of user objects in contoso.com.
Which of the following options would you choose to minimize the administrative effort required to manage the frequent changes to the helpdesk staff and enable the helpdesk employees to manage the user objects in all the three domains. (Select two. Each selected option will present a part of the answer.)
A.
Add the respective helpdesk user accounts to the Account Operators group in both region1.contoso.com and region2.contoso.com.
B.
Create a new global group for helpdesk users in contoso.com. Add the helpdesk user accounts to the global group and to the Account Operators group in all three domains.
C.
Assign Full Control permissions to the Account Operators group in contoso.com for user accounts in all three domains.
D.
Create a new global group in contoso.com for helpdesk users in contoso.com. Add the helpdesk user accounts to the global group and then add the global group to the Accounts Operators group that is on every member server in all three domains.
E.
None of the above
Explanation:
To minimize the administrative effort required to manage the frequent changes to the helpdesk staff and enable the helpdesk employees to manage the user objects in all the three domains, you need to: Create a new global group in contoso.com named Helpdesk-group. Add the helpdesk user accounts to Helpdesk-group. Add Helpdesk-group to the Account Operators group that is in all three domains
Helpdesk-group global group will help the helpdesk users to administer the domain tree or forest. Next when you add the Helpdesk-group to the Account Operators group that is in all three domains, you would limit the privileges of this group. Account Operators is a local group that grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups. They can also log on locally to domain controllers. However, Account Operators can’t manage the Administrator user account, the user accounts of administrators, or the group accounts Administrators, Server Operators, Account Operators, Backup Operators, and Print Operators. Account Operators also can’t modify user rights.
Reference: Using Default Group Accounts
http://technet.microsoft.com/en-us/library/bb726982.aspxReference: Securing the Local Administrators Group on Every Desktop