Identity with Windows Server 2016 — Question 178

Your network contains a single-domain Active Directory forest named contoso.com. The forest functional level is Windows Server 2016. The forest has Dynamic
Access Control enabled. The domain contains two domain controllers named DC1 and DC2. Privileged user accounts used to manage Active Directory reside in a group named Contoso\AD_Admins.
You create an authentication policy named Policy1 and an authentication policy silo named Silo1.
You need to ensure that the accounts in the Contoso\AD_Admins group can sign in to the domain controllers only.
Which three configurations should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

Answer options

• A. Create an access control condition in Policy1.
• B. Create a managed service account and add the account to Permitted Accounts in Silo1.
• C. Add the domain controllers to the Contoso\AD_Admins group.
• D. Add the privileged user accounts and the domain controllers to Permitted Accounts in Silo1.
• E. Assign Silo1 to the privileged user accounts and the domain controllers.

Correct answer: A, D, E

Explanation

The correct answer includes creating an access control condition in Policy1 to specify the sign-in restrictions, adding the privileged user accounts and the domain controllers to Permitted Accounts in Silo1 to ensure they can access the necessary resources, and assigning Silo1 to the relevant accounts to enforce the policy. The other options either do not contribute to restricting access correctly or do not meet the requirements of the task.