Your network contains an Active Directory domain named contoso.com. The domain contains more than 100 Group Policy objects (GPOs). Currently, there are no
enforced GPOs. You need to provide an Administrator named Admin1 with the ability to create GPOs in the domain. The solution must not provide Admin1 with the
ability to link GPOs. What should you use?
A.
dcgpofix
B.
Get-GPOReport
C.
Gpfixup
D.
Gpresult
E.
Gptedit.msc
F.
Import-GPO
G.
Restore-GPO
H.
Set-GPInheritance
I.
Set-GPLink
J.
Set-GPPermission
K.
Gpupdate
L.
Add-ADGroupMember
Set-GPPermission – correct answer. The bottom 3 are lighting up as correct answers
I would go with Add-AdGroupMember for following reasons.
1- If we look at what the Set-GPPermission does then it doesn’t mention that the user can “CREATE” a new GPO. This cmdlet grants a level of permissions to a security principal (user, security group, or computer) for one GPO or all the GPOs in a domain. That means the GPO should already exist in the domain (created beforehand).
Also noticed that the valid permission levels are: GpoRead, GpoApply, GpoEdit, GpoEditDeleteModifySecurity or None. Thus it does not allow to create a new GPO.
https://technet.microsoft.com/en-us/library/ee461038.aspx
2. There is a group called “Group Policy Creator Owners group. The Group Policy Creator Owners group lets its members CREATE new GPOs and The Group Policy Creator Owners group has NO permission to link GPOs to a container such as a domain or OU.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/c0405dce-56b6-411d-92b8-38ec2c4e0eb8/rights-when-adding-someone-to-group-policy-creator-?forum=winserverDS
https://technet.microsoft.com/en-us/library/cc978262.aspx
Correct Answer: J