Understand the principle of least privilege, know when to use privileged access workstations, and be able to identify built-in privileged accounts.


Contoso, Ltd. is a financial services company in Seattle with major offices located throughout the world. Most of its compute environment runs on-premises on Windows Server. This includes virtualized workloads on Windows Server 2016 hosts.

Contoso IT staff are migrating Contoso on-premises servers to Windows Server 2022. As part of the migration, Contoso plans to expand into additional sites and use virtualization to help expedite bringing a new site online. The company is also generating larger volumes of data with plans for even more data in the future. Because of this, the company needs flexible storage options. Finally, Contoso plans to increase the use of virtualization to optimize their computing environment because many physical servers are underutilized.

As a Windows Server administrator, you are responsible for managing and maintaining the server infrastructure that will help Contoso achieve its business goals. Your first task is to determine how best to administer Windows Server. In the past, you’ve mostly signed in as an administrator at the server you wanted to administer. However, you now want to perform administration remotely, and use the principle of least privilege.

By the end of this module, you’ll know which user accounts you should use to perform administrative tasks, and you’ll understand how to perform Windows Server administration securely.

Learning objectives

After completing this module, you'll be able to:

  • Explain least privilege administrative models.
  • Implement delegated privilege.
  • Describe privileged access workstations.
  • Describe jump servers.


To get the best learning experience from this module, you should have knowledge and experience of:

  • Windows Server.
  • Basic security best practices.
  • Windows client operating systems such as Windows 10.
  • Working with command-line tools.