Your network contains an Active Directory forest named contoso.com.
You need to provide a user named User1 with the ability to create and manage subnet objects.
The solution must minimize the number of permissions assigned to User1.
What should you do?
A. From Active Directory Users and Computers, run the Delegation of Control wizard.
B. From Active Directory Administrative Centre, add User1 to the Schema Admins group.
C. From Active Directory Sites and Services, run the Delegation of Control wizard.
D. From Active Directory Administrative Centre, add User1 to the Network Configuration Operators group.
Correct Answer: C
Explanation/Reference:
Adding the user to the Schema Admins group, or to the Network Configuration Operators group would give User1 too much rights. Since we have to delegate an administrative task concerning subnets, we have to run the Delegation of Control wizard from Active Directory Sites and Services.
Reference below is for Windows Server 2003 R2, but is still valid for 2008 R2.
Reference:
http://technet.microsoft.com/en-us/library/cc736770.aspx
Delegate control of a site
To delegate control of a site
1. Open Active Directory Sites and Services.
2. Right-click the container whose control you want to delegate, and then click Delegate Control to start the Delegation of Control Wizard.
3. Follow the instructions in the Delegation of Control Wizard.
Notes
(…)
In Active Directory Sites and Services, you can delegate control for the subnets, intersite transports, sites, and server containers.
