Home » Microsoft » 70-417 v.2 » What should you do?
Your network contains an Active Directory domain named contoso.com. The domain contains 30 organizational units (OUs). You need to ensure that a user named User1 can link Group Policy Objects (GPOs) in the domain.
What should you do?
A. From the Active Directory Users and Computers, add User1 to the Network Configuration Operators group.
B. From the Group Policies Management, click the contoso.com node and modify the Delegation settings.
C. From the Group Policies Management, click the Group Policy Objects node and modify the Delegation settings.
D. From the Active Directory Users and Computers, add User1 to the Group Policy Creator Owners group.
Correct Answer: B
Explanation/Reference:
In addition to the administrators of a domain by default, members of the Group Policy Creator Owners group the right to create group policies. If you want to enable users or groups to itself to create GPOs, then there is a path on their inclusion in the Group Policy Creator Owners group.
However, since the introduction of the Group Policy Management, there are other and more granular ways to delegate rights to manage GPOs. Thus, other groups or even individual users can now be equipped with these privileges. For this purpose, you open the Group Policy Objects folder below the respective domain. Under the tab delegation is a list of all the groups and users who have the right to create GPOs. The button can add additional users are granted this privilege. No matter how a user gets the right to create GPOs to, he may subsequently only edit or delete, which he himself has created those. Denied him thus remains the possibility to change already existing group policies or generally to link GPOs to an OU. For these tasks, users must be authorized separately. The right to link GPOs can a user, as described in answer B, be granted.
References: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc755086(v=ws.11)