New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Microsoft AZ-800 Exam - Topic 7 Question 11 Discussion

Actual exam question for Microsoft's AZ-800 exam
Question #: 11
Topic #: 7
[All AZ-800 Questions]

You have an Azure Active Directory Domain Services (Azure AD DS) domain named contoso.com.

You need to provide an administrator with the ability to manage Group Policy Objects (GPOs). The solution must use the principle of least privilege.

To which group should you add the administrator?

Show Suggested Answer Hide Answer
Suggested Answer: B

Only the Domain Admins group and the Enterprise Admins group can fully manage GPOs. Members of the Group Policy Creator Owners group can create new GPOs but they can't link the GPOs to sites, the domain or OUs and they cannot manage existing GPOs.


by Ahmed at Jun 15, 2022, 11:23 AM

Limited Time Offer

25%

Off

Get Premium AZ-800 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Ming
4 months ago
I agree, AAD DC Administrators is the least privilege option here.
upvoted 0 times
...
Cordelia
4 months ago
Surprised that Group Policy Creator Owners isn't the answer!
upvoted 0 times
...
Odette
4 months ago
Definitely not Schema Admins, they have a different role.
upvoted 0 times
...
Walker
4 months ago
I think Domain Admins might be too much access for this.
upvoted 0 times
...
Aretha
4 months ago
AAD DC Administrators is the right choice for managing GPOs.
upvoted 0 times
...
Hildegarde
5 months ago
I’m confused; I thought Schema Admins were important for GPOs, but now I’m not so sure if they apply here.
upvoted 0 times
...
Natalya
5 months ago
I practiced a similar question where we had to assign GPO management rights, and I feel like Group Policy Creator Owners could be relevant too.
upvoted 0 times
...
Eve
5 months ago
I'm not entirely sure, but I remember something about the principle of least privilege suggesting we shouldn't use Domain Admins for this task.
upvoted 0 times
...
Kiley
5 months ago
I think the AAD DC Administrators group is the right choice since it specifically relates to managing Azure AD DS.
upvoted 0 times
...
Lavonne
5 months ago
Hmm, I'm a bit unsure about this one. The question mentions using Marketing Cloud Connect to connect Sales Cloud and Marketing Cloud, so I wonder if the Salesforce Triggered Sends option might be the best fit since it would leverage that integration.
upvoted 0 times
...
Jonelle
5 months ago
Hmm, I'm a bit unsure here. The question mentions the project team agreed on a 3-month timeline, so I'm not sure if option A is the best choice. Maybe I should consider the other options as well.
upvoted 0 times
...
LukiDuc
4 years ago
Explanation would be good if we considered standard on-premise AD, but for AZURE AD DS MS article says: "To administer group policy in a managed domain, you must be signed in to a user account that's a member of the AAD DC Administrators group" (https://docs.microsoft.com/en-us/azure/active-directory-domain-services/manage-group-policy)
upvoted 1 times
...

Save Cancel