You have an Azure Active Directory Domain Services (Azure AD DS) domain named contoso.com.
You need to provide an administrator with the ability to manage Group Policy Objects (GPOs). The solution must use the principle of least privilege.
To which group should you add the administrator?
Click on the arrows to vote for the correct answer
A. B. C. D. E.B
Only the Domain Admins group and the Enterprise Admins group can fully manage GPOs. Members of the Group Policy Creator Owners group can create new
GPOs but they can't link the GPOs to sites, the domain or OUs and they cannot manage existing GPOs.
The correct answer to this question is option E, Group Policy Creator Owners.
Explanation: In Azure AD DS, the Group Policy Creator Owners group has the necessary permissions to manage Group Policy Objects (GPOs). Adding an administrator to this group will provide them with the ability to manage GPOs without granting them excessive privileges.
Option A, AAD DC Administrators, is incorrect as this group is used to manage domain controllers in Azure AD DS and does not have the necessary permissions to manage GPOs.
Option B, Domain Admins, is incorrect as this group has full administrative control over the domain and granting this level of access would violate the principle of least privilege.
Option C, Schema Admins, is incorrect as this group is used to manage the Active Directory schema and does not have the necessary permissions to manage GPOs.
Option D, Enterprise Admins, is incorrect as this group has full administrative control over all domains in the forest and granting this level of access would violate the principle of least privilege.
Therefore, the correct and most appropriate answer is option E, Group Policy Creator Owners.