1. Jean says that there are four internal auditors in the forest root domain. There are two internal auditors in each of the child domains. Each set of internal auditors has been placed in a global group within each domain. These groups are named IA_Main, IA_East, and IA_West after their respective locations. Jean wants all of the members of these groups to be able to access the same resources in every domain. What is the recommended way to configure this?
Create a universal group that all individual global groups can become a member of. This will allow each internal auditor to have access to resources granted to the universal group. Choose a name for the group that represents the entire company, such as HumongousJA.
2. The network administrators from the East domain want to know why the option to
create a universal group is not available in their domain. What can you tell them?
Universal groups are only available to domains that have a functional level of Windows 2000 native or later. When using the mixed functional level, you cannot create universal groups. In order to change the functional level, all of the existing Windows NT 4 backup domain controllers (BDCs) must be removed or upgraded. Once the domain functional level is raised, the two Windows Server 2003 domain controllers will no longer replicate the domain database to Windows NT 4 BDCs.
3. The network administrators from the West domain want to know why everyone
always recommends placing global groups into universal groups, instead of just
placing the users directly into the universal groups. What should yoti tell them?
Universal group membership changes cause forest-wide replication. If you use global groups in the universal groups instead of users, it is less likely that there will be membership changes to the universal groups. If instead you decided to place users in universal groups, every time a user was added to, or deleted from, a universal group, forest wide replication would take place. In most domains the user accounts are modified more frequently than the groups themselves. Once you are able to upgrade all the domain controllers in the forest, you'll be able to raise the domain functional level to Windows Server 2003, which would alleviate this issue and concern.
4.Jean approves a plan to hire assistants for each domain to create and manage user
accounts. How can you give the assistants the immediate ability to help in this way
without making them domain administrators?Place the assistants in the Account Operators group of the domains for which they are expected to be assistants.
5. Two employees have been hired to back up data, maintain the Windows Server
2003 domain controllers, and manage printers for the Main_Site. Which Builtin
groups will give these users the permissions they require to manage the domain
controllers? How should you set up their accounts and group memberships?
These users will need permissions assigned to the Backup Operators, Account Operators, and Server Operators. You should create a global group specifically for these users. For example, create the Maintenance_Main global group. Make that group a member of the Backup Operators, Account Operators, and Server Operator domain local groups. Then place the user accounts for these new employees in that new global group.
6. Two security specialists have been contracted to create group policy for the
humongous.com domain. They have no need to perform most administrative
tasks. How should you assign their group memberships?
Make them a member of the Group Policy Creator Owners domain group.
Exam Objectives in this Chapter:
Plan a user authentication strategy
Delegate permissions of an organizational unit (OU) to a user or security group