You need to delegate the required permissions to Admin1

Your network contains an Active Directory domain named contoso.com. All domain controllers run
Windows Server 2012 R2.
The domain contains 200 Group Policy objects (GPOs).
An administrator named Admin1 must be able to add new WMI filters from the Group Policy
Management Console (GPMC).
You need to delegate the required permissions to Admin1. The solution must minimize the number
of permissions assigned to Admin1.
What should you do?

Your network contains an Active Directory domain named contoso.com. All domain controllers run
Windows Server 2012 R2.
The domain contains 200 Group Policy objects (GPOs).
An administrator named Admin1 must be able to add new WMI filters from the Group Policy
Management Console (GPMC).
You need to delegate the required permissions to Admin1. The solution must minimize the number
of permissions assigned to Admin1.
What should you do?

A.
From Active Directory Users and Computers, add Admin1 to the
WinRMRemoteWMIUsers__group.

B.
From Group Policy Management, assign Creator Owner to Admin1 for the WMI Filters container.

C.
From Active Directory Users and Computers, add Admin1 to the Domain Admins group.

D.
From Group Policy Management, assign Full control to Admin1 for the WMI Filters container.

Explanation:

Users with Full control permissions can create and control all WMI filters in the domain, including
WMI filters created by others.
Users with Creator owner permissions can create WMI filters, but can only control WMI filters that
they create.

http://technet.microsoft.com/en-us/library/cc757429(v=ws.10).aspx

Show Hint

Leave a Reply 12

Your email address will not be published. Required fields are marked *

Gordon Freeman

Gordon Freeman

The question states “able to add new WMI filters”, not add and control therefore “Full Control” is not least privilege to achieve the requirements. The answer should be B- Creator Owner.

Reply

Hernan

Hernan

You are right, Gordon.
The correct answer is B

Reply

LWG

LWG

the alternate of this question is:

Admin1 must be able to edit existing and add new WMI filters from the Group Policy
Management Console (GPMC)

Reply

Bas

Bas

B

Reply

Paulo Barbosa

Paulo Barbosa

Hello, Bas, your comments are very important. Tell me why not D?

Reply

Peter77

Peter77

From MSDN…
Creator Owner allows the user to create new WMI Filters in the domain, but does not grant them permissions on WMI filters created by other users. Full Control allows the user to create WMI filters, and grants them full control on all WMI Filters in the domain.

So CREATOR OWNER is enough to add new WMI filter

Answer B

Reply

hippo

hippo

yep, so it seems… There’s however another one, that asks for permissions to edit existing WMIs, then it’ll be the full control one.

Reply

Fréd

Fréd

Answer: B (add new = assign creator owner)

Reply

Justbecause

Justbecause

I’m going with B, least rights to create new WMI Filters

Reply

Sander

Sander

Answer: D. The solution must minimize the number of permissions assigned to Admin1. Creator Owners group also have permmisions to create gpo’s

Reply

PauliusP

PauliusP

Read it more carefully. B option says “assign Creator Owner to Admin1 for the WMI Filters container”. Read the explanation as well.

Reply