Identity with Windows Server 2016 — Question 30

Your network contains an Active Directory domain named contoso.com.
You plan to deploy a new Active Directory Rights Management Services (AD RMS) cluster on a server named Server1.
You need to create the AD RMS service account. The solution must use the principle of least privilege.
What should you do?

Answer options

• A. Create a local user account on Server1 and add the account to the Administrators group on Server1.
• B. Create a domain user account and add the account to the Administrators group on Server1.
• C. Create a domain user account and add the account to the Domain Users group in the domain.
• D. Create a domain user account and add the account to the Account Operators group in the domain.

Correct answer: C

Explanation

The correct answer is C because adding the account to the Domain Users group provides the necessary permissions without granting excessive rights, adhering to the principle of least privilege. Options A and B grant administrative privileges that are not required for the AD RMS service account, and option D gives more rights than necessary by placing the account in the Account Operators group.