AZ-800 topic 1 question 15

Correct
Membership in the Enterprise Admins group in the forest or the Domain Admins group in the forest root domain,

Here’s why other closely related groups are not correct:

Domain Admins: The Domain Admins group in the contoso domain does not have default rights on domain controllers in the east.contoso domain(2). Also, adding the admin to the Domain Admins group of east.contoso would grant them more permissions than necessary, violating the PoLP.
Enterprise Admins: The Enterprise Admins group has full admin rights across all domains in the forest(3). However, this would grant the admin excessive privileges across all domains, not just east.contoso, which again violates the PoLP(2).

Therefore, membership in the “Administrators” domain local group in the east.contoso domain is the most appropriate and least privilege solution. It provides the necessary rights to create domain controllers in the east.contoso domain, without granting excessive privileges in other areas.

Info gathered using co-pilot business, may contain some errors, check yourself like im doing now, never assume anything you read here is correct

Why not, Enterprise Admins?

It's important to follow the principle of least privilege when assigning permissions.This helps to minimize the potential for damage if an account is compromised.

To ensure that users can perform the tasks mentioned, you must add each user to the following group:

Admin1: You must add Admin1 to the ContosoEnterprise Admins group. This group has permissions to create and manage Active Directory sites throughout the forest.

Admin2: You must add Admin2 to the EastDomain Admins group. This group has permissions to deploy domain controllers in the east.contoso.com domain.

Just a doubt, these questions of the test are quite confusing.

In the context of Active Directory, Enterprise Admin privileges are generally not required to create domain controllers in a child domain. Enterprise Admins have higher-level permissions that extend across all domains in the forest, including the ability to manage trusts and make changes that affect the entire forest.

Domain Admins, on the other hand, have the necessary permissions to manage and administer objects within their specific domain, including the ability to promote domain controllers within that domain. This includes the creation of domain controllers in child domains.

While Enterprise Admins can perform tasks related to the entire forest, such as managing trusts between domains, they are not explicitly required for the creation of domain controllers in a child domain. The Domain Admin role is typically sufficient for these tasks within the scope of a specific domain.

However, it's essential to consider the principle of least privilege when assigning permissions. If a user or group only needs to perform tasks within a specific domain, granting Domain Admin privileges for that domain is more appropriate than assigning higher-level Enterprise Admin privileges that provide broader access across the entire forest.

Correct Answer:
Box1: Contoso\Domain Admins
-> Tested this, domain admin can manage sites & site links for the current domain & child domains.

Box2: Contoso\Enterprise Admins
-> Tested this, domain admin cannot enroll domain controllers to child domains. You will need to be an enterprise admin.
-> Also, admin 2 user is not a user in child domain, so therefore you will still need to make admin 2 a member of "Contoso\Enterprise Admins" group.

Got this question 28-5-23