In an Azure Active Directory Domain Services (Azure AD DS) managed domain, the AAD DC Administrators group is specifically designed to delegate administrative tasks. Members of this group are granted permissions to perform domain administration, which includes creating, editing, and linking Group Policy Objects (GPOs) for custom Organizational Units (OUs). Assigning the administrator to this group provides the necessary permissions to manage GPOs without granting excessive privileges, thereby adhering to the principle of least privilege. Privileges for groups like Domain Admins and Enterprise Admins are reserved by the service and cannot be assigned to users.

B. Domain Admins: In Azure AD DS, users cannot be added to the Domain Admins group, as these permissions are reserved for the managed service to operate the domain.

C. Schema Admins: This group has permissions to modify the Active Directory schema, which is far beyond what is needed for GPO management and is a restricted group in Azure AD DS.

D. Enterprise Admins: Similar to Domain Admins, users cannot be added to the Enterprise Admins group in Azure AD DS; these elevated permissions are reserved for the service.

E. Group Policy Creator Owners: This group can create GPOs but can only manage the GPOs they create. It lacks the broader permissions to manage all GPOs or link them, which is required for full administration.

1. Microsoft Learn. (2023). Administer Group Policy on an Azure Active Directory Domain Services managed domain. In "Tutorials > Identity > Azure AD Domain Services". Retrieved from https://learn.microsoft.com/en-us/azure/active-directory-domain-services/manage-group-policy.

Reference Point: In the "Before you begin" section

it explicitly states: "To create and configure GPOs

you need to be signed in to a user account that's a member of the AAD DC Administrators group in your Azure AD tenant."

2. Microsoft Learn. (2023). Administration concepts for an Azure Active Directory Domain Services managed domain. In "Concepts > Security". Retrieved from https://learn.microsoft.com/en-us/azure/active-directory-domain-services/concepts-delegation.

Reference Point: Under the "AAD DC Administrators group" section

it lists the privileges for members

including: "Create and administer Group Policy Objects (GPOs) in the custom GPO container."

3. Microsoft Learn. (2023). Frequently asked questions (FAQs) about Azure Active Directory Domain Services. In "Troubleshoot". Retrieved from https://learn.microsoft.com/en-us/azure/active-directory-domain-services/faqs.

Reference Point: Under the "Administration and operations" section

the FAQ "Can I get domain administrator or enterprise administrator privileges for the managed domain that Azure AD DS creates?" is answered with: "No. You aren't granted domain administrator or enterprise administrator permissions on the managed domain." This confirms options B and D are incorrect.