Exam AZ-800 topic 1 question 15 discussion

Correct Membership in the Enterprise Admins group in the forest or the Domain Admins group in the forest root domain,

Correct Answer: Box1: Contoso\Domain Admins -> Tested this, domain admin can manage sites & site links for the current domain & child domains. Box2: Contoso\Enterprise Admins -> Tested this, domain admin cannot enroll domain controllers to child domains. You will need to be an enterprise admin. -> Also, admin 2 user is not a user in child domain, so therefore you will still need to make admin 2 a member of "Contoso\Enterprise Admins" group.

Clarification: Admin 1 can be part of the contoso\domain admin group as the user was created in the forest root domain and using least privilege does not need to be in the enterprise admin group. Admin 2 as per the question was created in the forest root domain contoso.com and not in the child domain. The question also states that admin 2 must deploy domain controllers TO the child domain, meaning that admin 2 is still in contoso.com. To enable admin 2 to be able to carry out this task, admin 2 would need to be in the enterprise admin group

This question is valid Exam date - 27-07-2024

east\domain admins is able to modify the settings on the east.contoso.com domain, however has no rights whatsoever on the contoso domain. When you add a domain controller on the child domain, you still need enough rights to do that on the parent domain, so I would say that the least privilege needed is contoso\domain admins for both

To create domain controllers in the east.contoso domain, an admin from the contoso domain would need to be a member of the “Administrators” domain local group in the east.contoso domain(1). This can be achieved by placing the users from the contoso domain into a global group in the contoso domain, then nesting that global group into the “Administrators” domain local group in the east.contoso domain1. This adheres to the Principle of Least Privilege (PoLP) because it grants only the necessary permissions to create domain controllers in the east.contoso domain, without granting excessive privileges.

In this scenario there is 1 single forest. Domain Admins is more than enough to create sites within the root domain. John needs to be enterprise admin to create a site in east.contoso.com which is outside the boundaries of contoso.com

Why not, Enterprise Admins? It's important to follow the principle of least privilege when assigning permissions.This helps to minimize the potential for damage if an account is compromised. To ensure that users can perform the tasks mentioned, you must add each user to the following group: Admin1: You must add Admin1 to the ContosoEnterprise Admins group. This group has permissions to create and manage Active Directory sites throughout the forest. Admin2: You must add Admin2 to the EastDomain Admins group. This group has permissions to deploy domain controllers in the east.contoso.com domain. Just a doubt, these questions of the test are quite confusing.

In the context of Active Directory, Enterprise Admin privileges are generally not required to create domain controllers in a child domain. Enterprise Admins have higher-level permissions that extend across all domains in the forest, including the ability to manage trusts and make changes that affect the entire forest. Domain Admins, on the other hand, have the necessary permissions to manage and administer objects within their specific domain, including the ability to promote domain controllers within that domain. This includes the creation of domain controllers in child domains. While Enterprise Admins can perform tasks related to the entire forest, such as managing trusts between domains, they are not explicitly required for the creation of domain controllers in a child domain. The Domain Admin role is typically sufficient for these tasks within the scope of a specific domain. However, it's essential to consider the principle of least privilege when assigning permissions. If a user or group only needs to perform tasks within a specific domain, granting Domain Admin privileges for that domain is more appropriate than assigning higher-level Enterprise Admin privileges that provide broader access across the entire forest.

admin2 is user of root domain , however answer is wrong. how it can be added in child domain as domain admin

Got this question 28-5-23

Answer is correct Enterprise admin is a higher level than Domain admin

Incorrect for both demo\domain admins Domain admins have full admin controllers you can manage AD sites as well as DCs with this permission.