Securing Windows Server 2016 — Question 79

Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2016.
You need to allow network administrators to use Just Enough Administration (JEA) to change the TCP/IP settings on Server1. The solution must use the principle of least privilege.
How should you configure the session configuration file?

Answer options

• A. Set RunAsVirtualAccount to $false and set RunAsVirtualAccountGroups to Contoso\Network Configuration Operators.
• B. Set RunAsVirtualAccount to $true and set RunAsVirtualAccountGroups to Contoso\Network Configuration Operators.
• C. Set RunAsVirtualAccount to $false and set RunAsVirtualAccountGroups to Network Configuration Operators.
• D. Set RunAsVirtualAccount to $true and set RunAsVirtualAccountGroups to Network Configuration Operators.

Correct answer: D

Explanation

The correct answer is D because setting RunAsVirtualAccount to $true allows the session to run under a managed service account, providing necessary permissions while maintaining security. Options A and C are incorrect because they set RunAsVirtualAccount to $false, which does not leverage the benefits of JEA, and option B incorrectly references the Contoso domain for the group instead of using the standard Network Configuration Operators group.