Your network contains an Active Directory forest named contoso.com. The forest contains
five domains. All domain controllers run Windows Server 2012 R2.
The contoso.com domain contains two user accounts named Admin1 and Admin2.
You need to ensure that Admin1 and Admin2 can configure hardware and services on all of
the member servers in the forest. The solution must minimize the number of privileges
granted to Admin1 and Admin2.
Which built-in groups should you use?
A.
Administrators local groups
B.
Administrators domain local groups
C.
Domain Admins global groups
D.
Server Operators global groups
Can Please explain!
1
0
Hi Mohamed,
the goal is, that the accounts Admin1 and Admin2 can configure Hardware & Services on all MEMBER Servers with the minimum of privileges.
As only member Servers are supposed to be administered, they don´t need any privileges in the domains, but the Domain Admins as well as the global domain Administrator Group have privileges in the Domains. The same applies to members of the Server Operators Group.
So all members of the above mentioned goups could – for example – log on locally on a Domain Controller and do some or more administrative tasks there, while the local Administrators Group is only local and individual on each Server and not exisiting on Domain Controllers, but on all Member Servers.
Keep in mind, that in Microsoft´s terminology you either have a Domain Controller or a member Server, which is not a Domain Controller.
By adding Admin1 and Admin2 to the local Administrators Groups on all the member Servers, the can handle Services as well as Hardware issues, as they have local Administrator rights just on the servers themselves, but absolutelly no administrative rights in the Domain.
Hope I could have helped you!
Cheers, Michael
Bu
7
0
Thank you Michael for help
Now it is clear
1
0
very clear explanation…Thank you Michael
1
0
Very clear explanation. Awesome Michael! Thanks!
1
0
Well explained
0
0
Thanks!!!!
0
0
very clear!thx!
0
0
Clear explanation. Thanks Michael.
0
0
answer is C – Domain Admin Global groups
Question states:
The forest contains five domains
ALSO
…configure hardware and services ON ALL of the MEMBER SERVERS IN FOREST
Adding Admin1 and Admin2 individually to local admins would be done by Group Policy > Preferences and outside scope of this question
0
0
/cough
“Which *built-in* groups should you use?”
/coughcough
Domain groups aren’t built-in bro. Built-in groups include the following:
-Administrators
-Account Operators
-Backup Operators
-Server Operators
-Print Operators
There is another, more efficient way to complete this, which is “Delegation of Administration” but in this case the question refers to “built-in” groups ^_^
Take a peek, it’s some neat stuff: http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Built-in-Groups-Delegation.html
0
0
Here are a few of the web pages we recommend for our visitors.
0
0
Usually posts some extremely fascinating stuff like this. If you are new to this site.
0
0
Every after in a when we pick blogs that we read. Listed beneath would be the most up-to-date internet sites that we opt for
0
0
one of our visitors just lately encouraged the following website
0
0
The information and facts talked about in the write-up are a number of the best readily available
0
0
below you will obtain the link to some web pages that we think you need to visit
0
0
The information talked about in the article are a few of the best out there
0
1
here are some links to sites that we link to simply because we believe they’re worth visiting
0
1
we prefer to honor many other world wide web internet sites on the web, even though they arent linked to us, by linking to them. Beneath are some webpages really worth checking out
0
1
Very clear now.
Thanks Michael!
0
0