Your network consists of one Active directory domain. The functional level of the domain is Windows
Server 2008 R2. You have one organizational unit (OU) named AllUsers that contains all user
accounts for the domain. Your company has two departments named Sales and Engineering. Each
department has a department manager. Each department has a global security group that contains
all department users.
You need to prepare the environment to manage all user accounts.
The solution must meet the following requirements:
Sales departm ent users must be required to reset their passwords every 30 days.
Department managers must administer only users in their respective departments.
Engineering department users must be required to reset their passwords every 45 days.
The solution must be achieved by using the minimum amount of administrative effort.
What should you do?
A.
Delegate administration of the AllUsers OU to the department manager of each department.
Modify the password policy for the domain.
B.
Create a new OU for each department. Delegate administration to the department manager of
each OU. Create a new password policy for each global security group.
C.
Create a child domain for each department. Delegate administration to the department manager
of each domain. Create a new password policy for each domain.
D.
Create a new OU for each department. Delegate administration to the department manager of
each new OU. Create a new Group Policy object. Configure the password policy for the new GPO and
link it to the OUs.
Explanation:
To ensure that the department managers must be allowed to manage the user accounts of only their
departments, you need to create a new OU for each department and delegate administration to the
department manager of each OU. To ensure that the users of both Sales and Development
departments must change their passwords after the interval of 30 days and 45 days respectively, you
need to create a new password policy for each global security group. The organizations that want
different password and account lockout settings for different sets of users need to use fine-grained
password policies. These policies cannot be applied to an organizational unit (OU) directly. To apply
fine-grained password policy to users of an OU, you can use a shadow group, which is a global
security group.
AD DS: Fine-Grained Password Policies / Are there any special considerations?
http://technet2.microsoft.com/windowsserver2008/en/library/056a73ef-5c9e-44d7-acc1-
4f0bade6cd751033.mspx?mfr=true