Administering Windows Server Hybrid Core Infrastructure — Question 38

You have a Microsoft Entra Domain Services domain named contoso.com.

You need to provide an administrator with the ability to manage Group Policy Objects (GPOs). The solution must use the principle of least privilege.

To which group should you add the administrator?

Answer options

• A. AAD DC Administrators
• B. Domain Admins
• C. Schema Admins
• D. Enterprise Admins
• E. Group Policy Creator Owners

Correct answer: A

Explanation

The correct choice is AAD DC Administrators, as this group has the necessary permissions to manage GPOs while following the least privilege principle. The other groups, such as Domain Admins, Schema Admins, and Enterprise Admins, provide broader permissions than required, which does not adhere to the least privilege concept. Group Policy Creator Owners can create GPOs but do not have the same level of management capabilities as AAD DC Administrators.