Exam AZ-800 topic 1 question 4 discussion

Settings for user and computer objects in Azure Active Directory Domain Services (Azure AD DS) are often managed using Group Policy Objects (GPOs). Azure AD DS includes built-in GPOs for the AADDC Users and AADDC Computers containers. You can customize these built-in GPOs to configure Group Policy as needed for your environment. ANSWER (A): Members of the Azure AD DC administrators group have "Group Policy administration privileges in the Azure AD DS domain, and can also create custom GPOs and organizational units (OUs). " https://docs.microsoft.com/en-us/azure/active-directory-domain-services/manage-group-policy

Answer is A. Question states Azure ADDS not On-premise. Read the question carefully

To ensure the administrator can manage Group Policy Objects (GPOs) in Azure Active Directory Domain Services (Azure AD DS) while adhering to the principle of least privilege, follow these steps: Add the Administrator to the “AAD DC Administrators” Group: The AAD DC Administrators group is specifically designed for managing Azure AD DS. By adding the administrator to this group, you grant them the necessary permissions to manage GPOs without granting excessive privileges. This approach aligns with the principle of least privilege, ensuring that the administrator has only the required permissions for GPO management. https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models

valid 27.11.23

A The "AAD DC Administrators" group is specifically designed to grant administrative privileges for Azure AD DS domain controllers. Members of this group have the permissions necessary to manage various aspects of the domain, including Group Policy Objects.

A is CORRECT ANSWER

The correct answer is A https://learn.microsoft.com/es-es/azure/active-directory-domain-services/manage-group-policy

https://learn.microsoft.com/en-us/azure/active-directory-domain-services/manage-group-policy Members of the Azure AD DC administrators group have Group Policy administration privileges in the Azure AD DS domain, and can also create custom GPOs and organizational units (OUs). Answer is A

Here is from Microsoft: You don't have Domain Administrator or Enterprise Administrator permissions on a managed domain using Azure AD DS. These permissions are reserved by the service and aren't made available to users within the tenant. AAD DC Administrators: administration group on domain-joined VMs, and configuring Group Policy.

AAD DC Administrators . Answer is A. https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance-advanced Instead, the AAD DC Administrators group lets you perform some privileged operations. These operations include belonging to the administration group on domain-joined VMs, and configuring Group Policy.

If question 6 (this topic) is AAD DC Administrators, then the answer here is also AAD DC Administrators.

A resposta correta é a B

AAD DC Administrators

Q:....provide an administrator ability to manage GPOs. Being a member of the Group Policy Creator Owners group gives the non-administrator full control of only the GPOs that the user creates. Group Policy Creator Owner members do not have permissions for GPOs that they do not create. So the admin from this question will not be able to manage already set GPOs. There are no Enterprise or Domain admin accounts in Azure AD DS. Instead, there is a group called AAD DC Administrators used to manage Azure AD DS. Accounts in this group have rights such as local administrator on member servers and administrative rights required to manage Azure AD DS. Prerequisite for Azure AD DS Group Policy Objects: A user account that’s a member of the Azure AD DC administrators group in your Azure AD tenant.

Answer E: Group policy creator owner should be the correct answer. Least privilege is required. A Group policy creator owner group member can create, delete and link gpos to OUs

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/manage-group-policy#open-the-group-policy-management-console-and-edit-an-object

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/manage-group-policy