Your network contains an Active Directory forest named contoso.com. The forest contains three domains named contoso.com, corp.contoso.com, and ext.contoso.com. The forest contains three Active Directory sites named Site1, Site2, and Site3.
You have the three administrators as described in the following table.
You create a Group Policy object (GPO) named GPO1.
Which administrator or administrators can link GPO1 to Site2?
A. Admin1 and Admin2 only
B. Admin1, Admin2, and Admin3
C. Admin3 only
D. Admin1 and Admin3 only
coleman have write.
just tested on the lab only Enterprise Admin can link gpo on Site.
answer is D
the point is: THE FOREST has 3 sites, however the Enterprise and the Domain Admins (contoso.com) can link GPO in their Site Objects.
no
see the link please and don’t confuse us
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732979(v=ws.11)?redirectedfrom=MSDN
You are wrong.
“To link an existing GPO to a site, domain, or OU, you must have Link GPOs permission on that site, domain, or OU. By default, only domain administrators and enterprise administrators have this privilege for domains and OUs. Enterprise administrators and domain administrators of the forest root domain have this privilege for sites.”
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732979(v=ws.11)?redirectedfrom=MSDN
38wrong , the answer should be C. Admin3 only.
By default, only Enterprise Admins group have full control permission on an Active Directory Site, this is inherited from the “CN=Sites” portion of the Configuration
directory partition.
Default permission for Domain Admins, they don’t have Full Control permission, While Enterprise Admins has full control permission.
Moreover, the “Enterprise Admins” group contains only Admin3 as stated by this question, therefore, only Admin3 can link GPO to a newly created site “Site2”.
This is a very tricky question that “Admin1” is a separate account, he/she is not the built-in “Administrator”!
When Admin1 belongs to the “Domain Admins” group only, he/she don’t have full control permission over forest-level objects and configurations like
“CN=Sites, CN=Configuration ……” partition.
This question was designed to emphasize the super-dominating power of the “Enterprise Admins” universal group at the forest-level of your entire directory.