7.7.9 Practice Questions
When following best practices for delegating administrative authority, which of the following is the first step in the process?
Identifying administrative rolls based on specific administrative function or job
You are the network administrator for your company. Your company has three standalone servers that run Windows Server. All servers are located in a single location. You have decided to create a single Active Directory domain for your network. Currently, each department has one employee designated as the department's computer support person. Employees in this role create user accounts and reset passwords for the department. As you design Active Directory, your goal is to allow these users to maintain their responsibilities while not giving them more permissions than they need. Which of the following design plans will best meet your goals?
Create an organizational unit (OU) structure where each department has its own OU. Use the Delegation of Control wizard to grant each computer support user appropriate permissions to their department OUs.
You are in charge of designing the Active Directory tree. You have a small company that has only one location. You have determined that you will have approximately 500 objects in your completed tree. Your company is organized with four primary departments, accounting, manufacturing, sales, and administration. Each area is autonomous and reports directly to the CEO. The managers in each department want to make sure that some management control of their users and resources remains in the department. Which of the following design plans will best meet these requirements?
Create an organizational unit object for each department. Train a member of each department to perform limited administrative duties. Use the Delegation of Control wizard to give a member of each OU enough rights to perform the necessary administrative tasks only in the appropriate OU.
You are the manager of the eastsim.com domain. Your Active Directory structure has organizational units (OUs) for each company department. Assistant administrators help you manage Active Directory objects. For each OU, you grant one of your assistants full control over the OU. You come to work one morning to find that while managing some user accounts the administrator in charge of the Sales OU has deleted the entire OU. You restore the OU and all of its objects from a recent backup. You want to make sure that your assistants can't delete the OUs they are in charge of. What should you do? (Select two. Each choice is a possible solution.)
Edit the properties for each OU to prevent accidental deletion. Remove full control permissions from each OU. Run the Delegation of Control wizard for each OU, granting permissions to perform the necessary management tasks.
The first step when delegating the right to create and link Group Policy Objects is to run the Delegation of Control Wizard at the domain or OU where the group should be able to link GPOs and then select Manage Group Policy links in the tasks to delegate. Which of the following is the second step?
Grant the user or group the rights to access the GPO container.
The Delegation of Control Wizard allows you to delegate administrative tasks to other administrators or groups. Which of the following IT security principles are you covering by performing this task?
The principle of least privilege
Which of the following is true when working with the Delegation of Control Wizard?
The rights delegated at the OU level will flow to the child OUs.
Delegating administrative authority means not only sharing administrative tasks with other users, but also which of the following?
Tightly controlling the permissions granted to each administrator.
You are the administrator for the westsim.com domain. Within the domain, you have OUs for the accounting, manufacturing, sales, and administration departments. You also have smaller OUs within each department OU, such as the ITAdmins OU in the Administration OU. You need to follow the principle of least privilege as you use the Delegation of Control wizard to complete the following: Give one user in each OU the rights necessary to manage user accounts in their OU. Give your assistants in the ITAdmins group rights to manage passwords for all users in the domain. Which of the following approaches can you use as you delegate control? (Select two. Each correct answer is part of the complete solution.)
1. Create a UserAdmin group in each department OU. 2. Make the user in each OU a member of the UserAdmin group. 3. In each department OU, delegate control to the UserAdmin group to perform user account tasks in that OU. 1. Create a PasswordAdmin group in the ITAdmins OU. 2. Make your assistants members of the PasswordAdmin group. 3. In the westsim.com domain, delegate control to the PasswordAdmin group to perform password tasks.
You are the administrator for the westsim.com domain, which has five domain controllers running Windows Server. All user and computer accounts have been placed in the department OUs. Main offices are located in Orlando, with additional offices in Boston, New York, and Chicago. There are three departments within the company: sales, marketing, and accounting. Employees from each department are at each location. You want to appoint an employee in each department to help with changing passwords for users within their department. They should not be able to perform any other tasks. What should you do?
Use the Delegation of Control wizard. Grant each user administrator permissions to modify passwords for their department OU.
