Your network consists of a single Active Directory domain. The network includes a branch office named Branch1. Branch1 contains a Readonly Domain Controller (RODC) named Server1. A global group named Branch1admins contains the user accounts for administrators. Administrators manage the client computers and servers in Branch1.

You need to recommend a solution for delegating control of Server1.

Your solution must meet the following requirements:

– Allow the members of the Branch1admins group to administer Server1 including, change device drivers and install operating system updates by using Windows Update.
– Provide the Branch1admins group rights on Server1 only.
– Prevent Branch1admins group from modifying Active Directory objects.

What should you recommend?

A.
Add the Branch1admins global group to the Server Operators builtin local group.

B.
Add the members of the Branch1admins global group to the Administrators builtin local group of Server1.

C.
Grant Full Control permission on the Server1 computer object in the domain to the Branch1admins group

D.
Move the Server1 computer object to a new organizational unit (OU) named Branch1servers.
Grant Full Control permission on the Branch1servers OU to the Branch1admins group.

Explanation:

http://technet.microsoft.com/en-us/library/cc753223%28WS.10%29.aspx

Administrator role separation

Administrator role separation specifies that any domain user or security group can be delegated to be the local administrator of an RODC without granting that user or group any rights for the domain or other domain controllers. Accordingly, a delegated administrator can log on to an RODC to perform maintenance work, such as upgrading a driver, on the server. But the delegated administrator is not able to log on to any other domain controller or perform any other administrative task in the domain. In this way, a security group that comprises branch users, rather than members of the Domain Admins group, can be delegated the ability to effectively manage the RODC in the branch office, without compromising the security of the rest of the domain.