You are an Enterprise administrator for contoso.com. The company consists of a head office and a branch office. The corporate network of the company consists of a single Active Directory domain. All the servers on the network run Windows Server 2008 and all client computers run Windows Vista. Administrators manage the client computers and servers in the Branch office.
Branch office of the company contains a Read-only Domain Controller (RODC) named contosoServer1.A global group called Branch-admins contains the user accounts for administrators.
You have been asked to recommend a solution for delegating control of contosoServer1 in such as way that Branch-admins group has rights on contosoServer1 only and they should not be allowed to modify Active Directory objects.
Besides, all the members of the Branch-admins group are allowed to administer contosoServer1; including, the change of device drivers and installation of operating system updates by using Windows Update.
Which of the following options would you choose to accomplish the desired task?
A.
On contosoServer1, add the Branch-admins global group to the Administrators local group.
B.
Add the Branch-admins global group to the Server Operators domain local group.
C.
Create a new OU and move the contosoServer1 computer object to a new OU and then grant Full Control permission on the new OU to the Branch-admins group.
D.
On the contosoServer1 computer object in the domain Grant Full Control permission to the Branch-admins group.
E.
None of the above
Explanation:
To accomplish the desired task, you need to add the Branch1-admins global group to the Administrators local group of contosoServer1.
Administrators is a local group that provides full administrative access to an individual computer or a single domain, depending on its location. Because this account has complete access, you should be very careful about adding users to this group. To make someone an administrator for a local computer or domain, all you need to do is make that person a member of this group. Only members of the Administrators group can modify this account.
Domain Admins is a global group designed to help you administer all the computers in a domain. This group has administrative control over all computers in a domain because it’s a member of the Administrators group by default. To make someone an administrator for a domain, make that person a member of this group.