Designing and Implementing a Server Infrastructure — Question 45

Your network contains an Active Directory forest named contoso.com. The forest contains one domain.
Your company plans to open a new division named Division1. A group named Division1Admins will administer users and groups for Division1.
You identify the following requirements for Division1:
✑ All Division1 users must have a complex password that is 14 characters.
✑ Division1Admins must be able to manage the user accounts for Division1.
✑ Division1Admins must be able to create groups, and then delete the groups that they create.
✑ Division1Admins must be able to reset user passwords and force a password change at the next logon for all Division1 users.
You need to recommend changes to the forest to support the Division1 requirements.
What should you recommend?
More than one answer choice may achieve the goal. Select the BEST answer.

Answer options

• A. In the forest, create a new organizational unit (OU) named Division1 and delegate permissions for the OU to the Division1Admins group. Move all of the Division1 user accounts to the new OU. Create a fine-grained password policy for the Division1 users.
• B. Create a new child domain named division1.contoso.com. Move all of the Division1 user accounts to the new domain. Add the Division1Admin members to the Domain Admins group. Configure the password policy in a Group Policy object (GPO).
• C. Create a new forest. Migrate all of the Division1 user objects to the new forest and add the Division1Admins members to the Enterprise Admins group. Configure the password policy in a Group Policy object (GPO).
• D. In the forest, create a new organizational unit (OU) named Division1 and add Division1Admins to the Managed By attribute of the new OU. Move the Division1 user objects to the new OU. Create a fine-grained password policy for the Division1 users.

Correct answer: A

Explanation

Option A is the best choice because it allows for the creation of a dedicated OU for Division1, where specific permissions can be delegated to Division1Admins for managing users and groups as required. It also supports the implementation of a fine-grained password policy specifically for Division1 users. Options B and C involve creating new domains or forests, which adds unnecessary complexity and does not align as closely with the requirements. Option D, while similar to A, does not provide the necessary delegation of permissions, as it only adds Division1Admins to the Managed By attribute without giving them the appropriate rights.