You are an Enterprise administrator for contoso.com. The company consists of a head office and a branch office. The corporate network of the company consists of a single Active Directory domain..
Branch office of the company contains a Read-only Domain Controller (RODC) named contosoServer1. A global group called GLB contains the user accounts for administrators.
Which of the following options would you choose to ensure that GLB group has rights on contosoServer1 only and they should not be allowed to modify Active Directory objects?
Which of the following options would you choose to accomplish the desired task?
A.
On contosoServer1, add the GLB global group to the Administrators local group.
B.
Add the GLB global group to the Server Operators domain local group.
C.
Create a new OU and move the contosoServer1 computer object to a new OU and then grant Full Control permission on the new OU to the GLB group.
D.
On the contosoServer1 computer object in the domain Grant Full Control permission to the GLB group.
E.
None of the above
Explanation:
To accomplish the desired task, you need to add the GLB global group to the Administrators local group of contosoServer1.
Administrators is a local group that provides full administrative access to an individual computer or a single domain, depending on its location.
Domain Admins is a global group designed to help you administer all the computers in a domain. This group has administrative control over all computers in a domain because it’s a member of the Administrators group by default. To make someone an administrator for a domain, make that person a member of this group.
Reference: Using Default Group Accounts
http://technet.microsoft.com/en-us/library/bb726982.aspxReference: Securing the Local Administrators Group on Every Desktop
http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html