A company has an Active Directory Domain Services (AD DS) domain. All servers run Windows Server 2008 R2.
The company plans to add a large number of members to the Account Operators group. You create a new organizational unit (OU), move the Account Operators group to the new OU, and delegate control of the OU to a server operator.
The server operator is unable make changes to the Account Operators group.
You need to ensure that the server operator can manage the Account Operators group.
What should you recommend? (More than one answer choice may achieve the goal. Select the BEST answer.)
A.
Set the dsHeuristic flag to include the Account Operators group in the AdminSDHolder protection.
B.
Make the server operator a Domain Administrator.
C.
Manually alter the access control lists (ACLs) on the Account Operators group to allow the server operator control.
D.
Set the dsHeuristic flag to exclude the Account Operators group from the AdminSDHolder protection.
The answer should be D
http://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx
http://m.windowsitpro.com/active-directory/advanced-active-directory-security
https://msviennatechnoblog.wordpress.com/2013/12/31/how-to-modify-security-inheritance-on-active-directory-objects-using-powershell/
The answer should be D
https://technet.microsoft.com/en-gb/magazine/2009.09.sdadminholder.aspx
http://m.windowsitpro.com/active-directory/advanced-active-directory-security
https://msviennatechnoblog.wordpress.com/2013/12/31/how-to-modify-security-inheritance-on-active-directory-objects-using-powershell/
https://technet.microsoft.com/en-gb/magazine/2009.09.sdadminholder.aspx
http://m.windowsitpro.com/active-directory/advanced-active-directory-security
https://msviennatechnoblog.wordpress.com/2013/12/31/how-to-modify-security-inheritance-on-active-directory-objects-using-powershell/