ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam MD-100 All Questions

View all questions & answers for the MD-100 exam
Go to Exam

Exam MD-100 topic 3 question 17 discussion

Actual exam question from Microsoft's MD-100
Question #: 17
Topic #: 3
[All MD-100 Questions]

Your network contains an Active Directory domain. The domain contains computers that run Windows 10.
You need to provide a user with the ability to remotely create and modify shares on the computers. The solution must use the principle of least privilege.
To which group should you add the user?

  • A. Power Users
  • B. Remote Management Users
  • C. Administrators
  • D. Network Configuration Operators
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by nickw at Sept. 25, 2019, 1:15 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
nickw
Highly Voted 5 years, 9 months ago
Agreed C. Power Users can manage shares locally, but you'd need Admin to be able to connect to do this remotely.
upvoted 7 times
Xeno96
4 years, 8 months ago
Power users in win 10?
upvoted 4 times
...
AVP_Riga
4 years, 3 months ago
Power Users Group is still alive only for backwards compatibility, not more.
upvoted 2 times
...
...
DaZa5
Most Recent 2 years, 1 month ago
Selected Answer: C
C. Administrators Network Configuration Operators Members of the Network Configuration Operators group can have the following administrative privileges to manage configuration of networking features: Modify the Transmission Control Protocol/Internet Protocol (TCP/IP) properties for a local area network (LAN) connection, which includes the IP address, the subnet mask, the default gateway, and the name servers. Rename the LAN connections or remote access connections that are available to all the users. Enable or disable a LAN connection. Modify the properties of all remote access connections of users. Delete all the remote access connections of users. Rename all the remote access connections of users. Issue ipconfig, ipconfig /release, and ipconfig /renew commands. Enter the PIN unblock key (PUK) for mobile broadband devices that support a SIM card. https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#network-configuration-operators
upvoted 1 times
...
Buruguduystunstugudunstuy
2 years, 3 months ago
Selected Answer: D
Members of the Administrators group have full control over the computer, including the ability to remotely create and modify shares on Windows 10 computers. Adding a user to the Administrators group would provide them with the necessary permissions to manage network shares, but it would not follow the principle of least privilege, as this group has more privileges than necessary to manage network shares. If the solution must use the principle of least privilege, then adding the user to the Network Configuration Operators group is a better option, as this group has the necessary permissions to manage network shares while having fewer privileges than the Administrators group. However, if the user needs to have administrative privileges for other reasons, such as installing software or managing system settings, then adding them to the Administrators group may be necessary. In this case, other measures should be taken to limit the user's privileges as much as possible to minimize the risk of security breaches.
upvoted 1 times
Spefx
2 years, 3 months ago
Understand your explanation of principle of least privilege but curious if you actually tested this, the following was the order in which I tested which lead me to selecting "C -Administrators" 1. Created a new user named "Tech1" 2. Added the user "Tech1" to the "Network Configuration Operators" group. 3. Signed out of the administrative account, Signed in as "Tech1" 4. Ran the "Whoami /groups" command to validate that the user had membership to the "Network Configuration Operators" group. 5. Created a Folder C:\NewFolder - Success 6. Right Click, Properties, Select "Sharing" tab 7. Select "Share" 8. Press "Share" again, the icon with UAC icon 9. Be prompted for UAC, Enter credentials for "Tech1", Enter credentials and receive message that states "This action requires elevation" If you managed to get it working for a user that is a member of "Network Configuration Operators" group please provide the steps you followed.
upvoted 1 times
...
...
flabezerra
2 years, 9 months ago
Selected Answer: C
Administrators only The other accounts won't work because you will be UAC prompted. The bit doubt here would be using a Remote Management User. This user will have to access WMI resources and those resources also are affected by UAC. There's a lot of learning docs about the subject WMI beginning with the definition about Remote Management Users group. For further studies as I did, I'd recommend you do the same about this interesting group. Start in the link below https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#:~:text=Remote%20Desktop%20Users-,Remote%20Management%20Users,-Replicator
upvoted 2 times
...
chrys
3 years ago
Sorry, I meant Remote Management Users is too restrictive.
upvoted 1 times
...
chrys
3 years ago
It is C. Remote Management Users can use WMIC to create shares, BUT the folder has to already exist AND they need administrative permission to begin with on the remote machine AND they cannot use WMI to change share permissions. D is too restrictive.
upvoted 1 times
...
ceskil
3 years, 3 months ago
I always get misleaded by this statement, "The solution must use the principle of least privilege", and because of this statement I chose B, end up answer C. *Frustrated*
upvoted 3 times
...
Tommo
3 years, 3 months ago
Selected Answer: C
C is correct.
upvoted 1 times
...
zerikun
3 years, 8 months ago
So we have a domain with multiple computers and we want a user to connect remotely on all these computers and create a share, right? The question is vague. To which group should you add the user? Is the user a domain user? The mentioned group is it an AD group or a local group? If we need to add (and/or create) a user to a local group on all the computers (which can be dozens) is stupid. But the answer is correct: Administrators group If we need to add a domain user to a AD group, then the Administrators group is wrong choice, as all the others.
upvoted 1 times
...
Hisandy
4 years, 4 months ago
Why Remote Management Users can't do the job?
upvoted 2 times
Sh1rub10
4 years, 3 months ago
Members of the Remote Management Users group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user. The Remote Management Users group is generally used to allow users to manage servers through the Server Manager console, whereas the WinRMRemoteWMIUsers_ group is allows remotely running Windows PowerShell commands. Default User Rights: None
upvoted 3 times
Cisco
4 years, 3 months ago
So its correct that Remote management users can run powershel commands but not create shares?
upvoted 1 times
...
...
...
ray_v78
4 years, 4 months ago
Note: in Windows 7 and above, Power Users only exists for legacy purposes, and is the same as ordinary Users, unless an admin explicitly adds extra rights to the group. https://serverfault.com/questions/525880/what-does-the-windows-7-local-group-power-users-actually-do
upvoted 1 times
...
hawkens
4 years, 8 months ago
Yes.. the group Power users is present for backwards compatibility.. But the answer is correct C.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel