- 10 views
Your network contains two Active Directory Domain Services (AD DS) forests named contoso.com and fabrikam.com. Contoso.com contains three child domains named amer.contoso.com, apac.contoso.com, and emea.contoso.com. Fabrikam.com contains a child domain named apac.fabrikam.com. A bidirectional forest trust exists between contoso.com and fabrikam.com.
You need to provide users in the contoso.com forest with access to the resources in the fabrikam.com forest. The solution must meet the following requirements:
- Users in contoso.com must only be added directly to groups in the contoso.com forest.
- Permissions to access the resources in fabrikam.com must only be granted directly to groups in the fabrikam.com forest.
- The number of groups must be minimized.
Which type of groups should you use to organize the users and to assign permissions? To answer, drag the appropriate group types to the correct requirements. Each group may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
The suggested answer is correct
- Domain global (Global) should be used to organize users.
members of Global group can be:
- Accounts from the same domain
- Other Global groups from the same domain - Domain local (DL) should be used for assigning permissions
members of Domain local groups can be:
- Accounts from any domain or any trusted domain
- Global groups from any domain or any trusted domain
- Universal groups from any domain in the same forest
- Other Domain Local groups from the same domain
- Accounts, Global groups, and Universal groups from other forests and from external domains
Universal groups can be used only within the same forest
Aliabdo
Highly Voted 1 year ago
Organize users : Universal groups Permission : Domain Local
upvoted 9 times
Ksk08
Most Recent 3 weeks, 6 days ago
domain global domain local
upvoted 1 times
monisshk
3 months, 3 weeks ago
This question is valid Exam date - 27-07-2024
upvoted 2 times
fbx01
9 months, 2 weeks ago
domain local universal Local
upvoted 1 times
Bolo92
11 months, 3 weeks ago
valid 27.11.23
upvoted 1 times
MR_Eliot
1 year, 1 month ago
Answer seems correct, do your own research, but in my mind: Users go to global groups, because, they say ONLY CONTOSO.com MEMBERS. Universal group will allow CHILDDOMAIN MEMEBERS as well. For assigning the permissions, it should be DOMAIN LOCAL. Because of A>G>U>DL=>Permissions. AND also DOMAIN LOCAL groups, can contain groups/users of other forests.
upvoted 4 times
skycrap
1 year, 5 months ago
Coorect: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#group-scope
upvoted 4 times
mrmichael1389
1 year, 4 months ago
Organize users would be Universal groups. There are child domains that would need to have users added to the groups. It speaks about users/groups in the forest (not just the domain).
upvoted 7 times
tomasek88
1 year, 3 months ago
BUT users are NOT members of Universal. Users are members of Global and Globals are members Universal. A -> G -> U -> DL -> Permissions
upvoted 6 times