Hi,

Option C should work also, right?

You are the systems administrator for the staff administrative department of a hospital. You are in the domain called admin.hospital.msft, which is running in native mode. There are multiple shared folders throughout your Microsoft® Windows Server™ 2003 domain, and you must ensure that everyone has permissions to the shared folders. Doctors, nurses, and clerks require permissions. The accounts for the clerks are in your domain, but the doctors and nurses are in the staff.nwtraders.msft domain.
You have arranged to work with the administrator from the staff.hospital.msft domain to ensure that the group strategy is correct. Which strategy should you choose?

a. Create a global group in the staff domain called Staff. Create a global group in the admin domain called Clerks. Create a universal group and add the Staff and Clerks as members. Grant permissions to the universal group.

b. Create a global group in the staff domain called Staff. Create a global group in the admin domain called Clerks. Create a domain local group in the staff domain and add the Staff and Clerks as members. Grant permissions to the domain local group.

c. Create a domain local group in the admin domain called admin. Add the clerk accounts to the domain local group. Add the doctors and nurses accounts to the domain local group. Grant permissions to the domain local group.

d. Create a universal group called admin. Add the clerk accounts to the universal group. Add the doctors and nurses accounts to the universal group. Grant permissions to the universal group.
Answer

Answer b is correct.
Creating a global group in each domain allows for more flexibility. By creating a domain local group and granting permissions, you can easily add another global group to it at any time.

الجواب على درايتي صحيح

لانه انت ما تقدر تستخدم الـ universal group في تحديد الصلاحيات

" طبعا يفضل إستخدام Domain Local Group في عملية تحديد الصلاحيات "
وايضا ما تستطيع استخدام الـ Universal Group لانه الـ Domain شغالة على native mode

فالبتالي الإجابة b هي الصحيحة
تستخدم Global Group وتحدد الـ Domain User من كل Domain ومن ثم تضيف هذه الـ Group على الـ Domain Local Group في كل shared folders

ولك التحية

الجواب على درايتي صحيح

لانه انت ما تقدر تستخدم الـ universal group في تحديد الصلاحيات

" طبعا يفضل إستخدام Domain Local Group في عملية تحديد الصلاحيات "
وايضا ما تستطيع استخدام الـ Universal Group لانه الـ Domain شغالة على native mode

فالبتالي الإجابة b هي الصحيحة
تستخدم Global Group وتحدد الـ Domain User من كل Domain ومن ثم تضيف هذه الـ Group على الـ Domain Local Group في كل shared folders

ولك التحية

الاجوبه الاربعة تقريبا صحيحة وانا بحاول الاتصال بـ Microsoft Help لان الجواب b صحيح اذا كان DL مخلوق في الـ admin وليس الـ Staff لان الـ share Folder هناك. ايضا الجواب c صحيح لكن لايفضل سحب الـ Users من عدة Domain ويفضل استخدم الـ Global Groups كما تفضلت

للعلم فان Universal Group يستخدم في الـ Native لكن لا في الـ Mixed (H)

مع الشكر

للعلم فان Universal Group يستخدم في الـ Native لكن لا في الـ Mixed

هفوة

Al salamo 3alekoh
the answer B is the only correct answer because you can't add the clerk users to the domain local because the domail local is seen only by it's domain & can't be seen by any other from other domains for the best security concept you can add the users to a global & put all globals in a bomain local group, Also you can't use the universal group due to the 2000 native mode not 2003 native

w allah a3lam
koxkox

You can add any user or group from any domain in the tree to the DL but the permission is limited to the domain scope

B is the correct answer,
microsoft use this procedure to grant access to a ressource from multi. domain. (Account -->Global-->Domain local-->Permission).
add account to a global grp, add global grp to a domain local grp.Grant permission to a local grp.

If you have 3 or more domains and need to grant permission for users form these domains to a different ressource in the three domains can you use this procedure (Account -->Global-->Universal-->Domain local-->Permission).

but you should remember that when you use universal grp you will get more traffic in the network because universal grp exist in global catalog.

Thanks for the deceleration

I usually understand DL as you can add users from domains for a local resourse

and global you add users from same domain to resourse in differnet domain

Is it right?

In DL, you cant see that group from another domain as opposite to G?

Domain Local Groups
Domain local groups are used primarily to assign access permissions to global groups for local domain resources. Domain local groups:
■ Exist in all mixed, interim and native functional level domains and forests.
■ Are available domainwide only in Windows 2000 native or Windows Server 2003 domain functional level domains. Domain local groups function as a local group on the domain controllers while the domain is in mixed functional level.
■ Can include members from any domain in the forest, from trusted domains in other forests, and from trusted down-level domains.
■ Have domainwide scope in Windows 2000 native and Windows Server 2003 domain functional level domains, and can be used to grant resource permission on any Windows Server 2003 computer within, but not beyond, the domain in which the group exists.

Global Groups
Global groups are used primarily to provide categorized membership in domain local groups for individual security principals or for direct permission assignment (particularly in the case of a mixed or interim domain functional level domain). Often, global groups are used to collect users or computers in the same domain and share the same job, role, or function. Global groups:
■ Exist in all mixed, interim, and native functional level domains and forests
■ Can only include members from within their domain
■ Can be made a member of machine local or domain local group
■ Can be granted permission in any domain (including trusted domains in other forests and pre–Windows 2003 domains)
■ Can contain other global groups (Windows 2000 native or Windows Server 2003 domain functional level only)
Universal Groups
Universal groups are used primarily to grant access to resources in all trusted domains, but universal groups can only be used as a security principal (security group type) in a Windows 2000 native or Windows Server 2003 domain functional level domain.
■ Universal groups can include members from any domain in the forest.
■ In Windows 2000 native or Windows Server 2003 domain functional level, universal groups can be granted permissions in any domain, including domains in other forests with which a trust exists.
Tip Universal groups can help you represent and consolidate groups that span domains, and perform common functions across the enterprise. A useful guideline is to designate widely used groups that seldom change as universal groups.