Your network contains an Active Directory domain named contoso.com. The domain contains a
read-only domain controller (RODC) named RODC1.
You create a global group named RODC_Admins.
You need to provide the members of RODC_Admins with the ability to manage the hardware and
the software on R0DC1. The solution must not provide RODC_Admins with the ability to manage
Active Directory objects.
What should you do?
A.
From Active Directory Site and Services, configure the Security settings of the RODC1 server
object.
B.
From Windows PowerShell, run the Set-ADAccountControlcmdlet.
C.
From a command prompt, run the dsmgmt local roles command.
D.
From Active Directory Users and Computers, configure the Member Of settings of the RODC1
account.
Explanation:
RODC: using the dsmgmt.exe utility to manage local administrators
One of the benefits of RODC is that you can add local administrators who do not have full access to
the domain administration. This gives them the ability to manage the server but not add or change
active directory objects unless those roles are delegated. Adding this type of user is done using the
dsmdmt.exe utility at the command prompt.
Best answer is C
1
0
Answer C is correct
1
0
the best answer is
D) From Active Directory Users and Computers, configure the Member Of settings of the RODC1
account.
0
1
According to Microsoft, this answer is not a best practice.
https://technet.microsoft.com/en-us/library/cc755310(v=ws.10).aspx
“Using ntdsutil or dsmgmt to specify the delegated RODC administrator account is not recommended because the information is stored only locally on the RODC. Therefore, when you use ntdsutil local roles to delegate an administrator for the RODC, the account that you specify does not appear on the Managed By tab of the RODC account properties. As a result, using the Active Directory Users and Computers snap-in or a similar tool will not reveal that the RODC has a delegated administrator.”
0
0
“The solution must not provide RODC_Admins with the ability to manage
Active Directory objects.”
## Answer C is correct ##
0
0
The answer is C, D is wrong because from ADUC you modify the Managed by tab, not the member of setting.
0
0
Ans is definitely C
Good explanation:
https://blogs.msmvps.com/jeffloucks/2009/11/28/rodc-using-the-dsmgmt-exe-utility-to-manage-local-administrators/
0
0