nerdexam
GIAC

GSLC · Question #101

GSLC Question #101: Real Exam Question with Answer & Explanation

The correct answer is D. Create a new global security group named CertAdmins.. To delegate PKI certificate management with least administrative burden, the best practice is to create a security group, assign it the Certificate Managers role, and add users as members rather than configuring each account individually.

Question

You work as a Network Administrator for Net World Inc. The company has a Windows Active Directory-based single domain single forest network. The functional level of the forest is Windows Server 2003. A Public Key Infrastructure (PKI) is installed on a server in the domain. You are planning to go on vacation for two weeks. Your team has three assistant administrators. You are required to accomplish the following tasks: - Delegate the authority to the assistant administrators to issue, approve, and revoke certificates. - The solution must involve least administrative burden. Which of the following steps will you take to accomplish the tasks?

Options

  • AAssign the Certificate Managers role to the assistant administrator user accounts.
  • BCreate a new global security group named CertAdmins.
  • CCreate a new global security group named CertAdmins.
  • DCreate a new global security group named CertAdmins.

Explanation

To delegate PKI certificate management with least administrative burden, the best practice is to create a security group, assign it the Certificate Managers role, and add users as members rather than configuring each account individually.

Common mistakes.

  • A. Assigning the Certificate Managers role directly to each individual user account requires separate role assignments per person, increasing administrative effort compared to a group-based approach.
  • B. Simply creating the group without assigning the Certificate Managers role to it accomplishes nothing - the group must be granted the role and populated with members to function.
  • C. Creating the group alone without completing the additional steps of role assignment and member population does not delegate any certificate management authority.

Concept tested. Delegating AD CS certificate management using role groups

Reference. https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/active-directory-certificate-services-overview

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GSLC Practice