You are a security administrator for certifyme.com. The network consists of seven
Active Directory domains. These domains are in the same Active Directory forest.
All seven Active Directory domains operate at a Windows Server 2003 domain
functional level.
Each domain contains an internal Web site that is used to publish information to the
certifyme.com managers. Access to the information on this Web site must not be
restricted to managers. An existing global group in each domain contains the
management user accounts that exist in that domain.
You need to restrict access to the internal Web sites to certifyme.com managers.
You want to achieve this goal by using the minimum amount of administrative
effort. 350-001
What should you do?
A. Create a universal group in one of the Active Directory domains.
Add the existing management global groups as members of the universal group.
Assign only this universal group permissions to access the Web sites.
B. Create a global group in one of the Active Directory domains.
Add the existing management global groups as members of the global group.
Leading the way in IT testing and certification tools, www.certifyme.com
- 15 -
Assign only this global group permissions to access the Web sites.
C. Create a domain local group in one of the Active Directory domains.
Add the existing management global groups as members of the domain local group.
Assign only this domain local group permissions to access the Web sites.
D. Assign only the existing management global permissions to access the Web sites.
Answer: A
Explanation: Global: accounts from the same domain, and global groups from the same
domain 640-802
Domain local: accounts from any domain, global groups from any domain, universal
groups from any domain, and domain local groups from the same domain
Windows 2000 global groups are effectively the same as Windows NT global groups. In
terms of membership, they have domain-wide scope, but can be granted permissions in
any domain, even in other forests and earlier version domains as long as a trust
relationship exists.
Universal groups can contain members from any Windows 2000 domain in the forest,
but cannot contain members from outside the forest. You can grant universal groups
permissions in any domain, even in other forests, as long as a trust relationship exists.
Although universal groups can have members from mixed mode domains in the same
forest, the universal group will not be added to the access token of these members
because universal groups are not available in mixed mode.
You can add users to a universal group, but it is recommended that you restrict universal
group membership to global groups. Universal groups are available only in native mode
domains.
You can use universal groups to build groups that perform a common function within an
enterprise. VCP-310
Universal groups could be used as a container in these circumstances to hold global
groups from each subsidiary or department, with a single access control entry (ACE) for
the universal group to protect the team resources.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment