Identity with Windows Server 2016 — Question 36

Your network contains an Active Directory domain named contoso.com.
You have an organizational unit (OU) named TestOU that contains test computers.
You need to enable a technician named Tech1 to create Group Policy objects (GPOs) and to link the GPOs to TestOU. The solution must use the principle of least privilege.
Which two actions should you perform? Each correct answer presents part of the solution.

Answer options

• A. Add Tech1 to the Group Policy Creator Owners group.
• B. From Group Policy Management, modify the Delegation settings of the TestOU OU.
• C. Add Tech1 to the Protected Users group.
• D. From Group Policy Management, modify the Delegation settings of the contoso.com container.
• E. Create a new universal security group and add Tech1 to the group.

Correct answer: A, B

Explanation

The correct answer is A and B because adding Tech1 to the Group Policy Creator Owners group allows them to create GPOs, while modifying the Delegation settings of TestOU grants them the necessary permissions to link those GPOs to the OU. Options C, D, and E do not provide the specific permissions required for Tech1 to perform the necessary tasks in relation to GPOs within TestOU.