Question 6 of 1 0
You are the domain administrator for north.westsim.com, which is a child domain in the westsim.com.
You have a high-end color laser printer that is shared on a server in north.westsim.com. Because of the
high price per page you have removed the print permission from the Everyone group. You need to grant the
print permissions to marketing users in the north.westsim.com, east.westsim.com, and
west.westsim.com domains.
What should you do?
ANSWER: In the North domain create a Domain Local group called CLR-PRT. In all three domains create a Global
group named Marketing. Add all three global groups to the North CLR-PRT group and assign the print
permission to the group.
0 In all three domains create a Global group named Marketing . Add the East and West Marketing groups to
the North Marketing group. Assign the print permission to the North Marketing group.
0 In all three domains create a Domain Local group called CLR-PRT. Add the East and West CLR-PRT
groups to the North CLR-PRT group. Assign the print permission to the North CLR-PRT group.
0 In the North domain create a Universal group called All-Marketing. Add the marketing users’ accounts
from all three domains to the group and assign the group the print permission .
Explanation
The best solution would be to create a Domain Local group in the North domain called CLR-PRT and in all three domains
create a Global group named Marketing. Add all three global groups to the North CLR-PRT group and assign the print
permission to the group. This follows Microsoft’s recommended strategy of A-G-DL-P. Place Accounts into Global groups
which become members of Domain Local groups which have the Permissions assigned.
Using a universal group and adding user accounts directly to a universal group will work, but in a multiple domain forest
this is not a best practice. In addition, since the resource is only located in one domain, universal groups are not
recommended. Anytime there is a membership change in a Universal group it requires replication to the Global Catalog
servers. This does not happen when you modify the membership of Domain Local or Global groups. Using a universal
group in the North domain with individual members puts the burden of managing the membership on the North
administrator. You can expand the best practice of A-G-DL-P to A-G-U-DL-P by creating global groups in each domain
and adding them to the universal group.
The other answers violate the group nesting rules and will not work. A global group can only contain accounts and global
groups from its own domain. Domain Local groups cannot be members of groups outside their own domain.
Objectives
Objectives for MS 70-41 0:
503 Create and manage Active Directory groups and organizational units (OUs)
References
LabSim for Windows Server Pro: Install and Configure, Section 4.8.
[Questions.exm 299-402 #15 [143]]