Share via

Define Least Privilege Training Module - Question Provides Improper Guidance

Tyler Jacobs 0 Reputation points
2024-10-20T03:11:18.63+00:00

https://learn.microsoft.com/en-us/training/modules/perform-windows-server-secure-administration/2-define-least-privilege-administration

The quick review question states the following "An administrator at Contoso must create a user account in the Contoso.com domain. Which of the following group memberships enable the administrator to perform the task without exceeding the required privilege?"

The correct answer is "The administrator should sign in using an account that belongs to the domain local Account Operators group."

The implication of the answer is that is recommended to user Account Operators over other administrative groups in AD (e.g., Enterprise Admins). However, it has been generally recommended for a long time not to use Account Operators.

I would suggest making a recommendation about the difference between one or more of the different listed Administrative groups (which actually shows up in the training module). I would leave out details about Account Operators entirely as it implies a recommendation.

This question is related to the following Learning Module

Windows for business Windows Server User experience Other

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pradeep M 9,765 Reputation points Microsoft External Staff Volunteer Moderator
    2024-10-21T07:17:27.5833333+00:00

    Hi Tyler Jacobs

    Thank you for reaching out to Microsoft Q & A forum.  

    The correct answer is to use an account from the domain local Account Operators group, as it follows the principle of least privilege by providing only the permissions needed to create user accounts. This group offers the necessary access without the broader privileges of Enterprise Admins or local Administrators. 

    However, using the Account Operators group is generally discouraged in real-world scenarios due to the potential security risks, as members can modify sensitive accounts. A more secure approach is to delegate permissions using Role-Based Access Control (RBAC) or scoped administrative units, ensuring more precise control while still adhering to the principle of least privilege. 

    Please feel free to contact us if you have any additional questions.     

    If you have found the answer provided to be helpful, please click on the "Accept answer/Upvote" button so that it is useful for other members in the Microsoft Q&A community.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.