Your network contains an Active Directory forest named contoso.com. The forest contains one domain.
Your company plans to open a new division named Division1. A group named Division1Admins will administer
users and groups for Division1.
You identify the following requirements for Division1:
– All Division1users must have a complex password that is 14 characters.
– Division1Admins must be able to manage the user accounts for Division1.
– Division1Admins must be able to create groups, and then delete the groups that they create.
– Division1Admins must be able to reset user passwords and force a password change at the next logon for all
Division1users.
You need to recommend changes to the forest to support the Division1 requirements.
What should you recommend?
More than one answer choice may achieve the goal. Select the BEST answer.
A.
Create a new child domain named divisionl.contoso.com. Move all of the Division1 user accounts to the new
domain. Add the Division1Admin members to the Domain Admins group.
Configure the password policy in a Group Policy object (GPO).
B.
In the forest, create a new organizational unit (OU) named Division1 and add Division1Admins to the
Managed By attribute of the new OU. Move the Division1 user objects to the new OU.
Create a fine-grained password policy for the Division1 users.
C.
Create a new forest. Migrate all of the Division1user objects to the new forest and add the Division1Admins
members to the Enterprise Admins group. Configure the password policy in a Group Policy object (GPO).
D.
In the forest, create a new organizational unit (OU) named Division1 and delegate permissions for the OU to
the Division1Admins group. Move all of the Division1 user accounts to the new OU.
Create a fine-grained password policy for the Division1 users.
An OU for an entire division?? Shouldn’t be better a child domain??
0
0
I believed the division is equal to department.
0
0
I don’t understand this answer at all:
1. The password length of default domain password policy if from 0 – 14, so 14 can be done without fine-grained password policy.
2. The question doesn’t say anything about the minimum password length of other user accounts, so we can simply change the default domain password policy to make the minimum password length of all the accounts to be 14. So we don’t even need a child domain.
3. What’s the difference between B and D?
4. I understand creating a new OU is better than creating a new child domain, but does changing the default domain password policy better than fine-grained password policy here? why bother?
0
0