Troubleshooting Security Policies

Posted on
Share on Google+Share on LinkedInShare on FacebookShare on RedditTweet about this on TwitterEmail this to someone

These questions are derived from the Self Test Software Practice Test for Microsoft exam #70-299 – Implementing and Administering Security in a Microsoft Windows Server 2003 Network

Objective: Implementing, Managing, and Troubleshooting Security Policies
SubObjective: Configure security templates

 

Single Answer, Multiple Choice

 

You are a security administrator for a company named TXGlobal. The company’s network consists of a single Active Directory forest that includes three domains: txglobal.com, east.txglobal.com, and west.txglobal.com. All network servers run Windows Server 2003. All client computers run Windows XP Professional. The forest operates at the Windows Server 2003 functional level.

 

A file server named FS1 in the txglobal.com domain hosts a shared folder named Confidential. Team leaders and managers with accounts in each of the three domains need access to the contents of this folder. Your solution should minimize global catalog replication across the domain.

 

What should you do?

 

 

  1. Create a global group in each domain, and add the users in each domain to their respective global groups. Create a universal group in txglobal.com. Add each global group to the universal group. Add the universal group to a domain local group, and assign access to the domain local group for the shared folder.
  2. Create a universal group in each domain, and add the users in each domain to their respective universal groups. Add each universal group to a domain local group, and assign access to the domain local group for the shared folder.
  3. Create a domain local group in each domain, and add each domain’s users to their respective domain local groups. Assign access to each of the domain local groups for the shared folder.
  4. Create a universal group in each domain, and add the users in each domain to their respective universal groups. Assign access to all three universal groups for the shared folder.

 

Answer:

 

 

  1. Create a global group in each domain, and add the users in each domain to their respective global groups. Create a universal group in txglobal.com. Add each global group to the universal group. Add the universal group to a domain local group, and assign access to the domain local group for the shared folder.

 

Tutorial:

 

To grant access to the Confidential folder, you should create a global group in each domain and add users from each domain to their respective global groups. Next, you should create a universal group, and add each global group to the universal group. Then, you should add the universal group to the domain local group. Finally, you should assign the necessary permissions to the domain local group for Confidential.

 

Universal groups are stored in the global catalog and require all membership changes to be replicated to all global catalogs in the forest. If the domain is operating at the Windows Server 2003 functional level, only the changed attributes of the group will be replicated. To further avoid unnecessary replication, you can add users to global groups, and then add (nest) the global groups as members of the universal group to gain the scope provided by universal group membership. By using this nested group design, membership changes to the universal group will be minimized. Replication will not be required unless a global group is added or removed from the universal group. However, you can add or remove users from the global groups that are nested in the universal groups without initiating replication events.

 

Domain local groups can be used to assign permissions to resources in a domain where the group exists. Domain local groups can be used only in domains that operate at the Windows 2000 native or Windows Server 2003 domain functional levels. Domain local groups can contain members from any domain in the forest, as well as from trusted domains outside the forest. You can add user accounts, domain local groups, global groups, and universal groups as members of this type of group.

 

A global group can contain members only from its own domain. You should create global groups when you must combine users from a domain that have the same job profile or share the same set of properties as other users in the domain. A global group can be used in domains that operate at all domain functional levels. You can use a global group to assign permissions to resources in other trusted domains. A global group can also contain other global groups in the Windows 2000 native or Windows Server 2003 domain functional levels. However, a global group cannot contain global groups in domains that operate at the Windows 2003 Interim or Windows 2000 Mixed domain functional levels.

 

You should not create a domain local group in each domain, add users to the domain local groups and assign resource access to all three domain local groups. A domain local group cannot be added to another group outside its domain.

 

You should not create a universal group in each domain and add users directly to it. Universal groups still increase replication traffic on the network and should be used sparingly. Any changes to the group’s membership will be replicated to all global catalogs in the forest. In this scenario, you must minimize the replication traffic.

 

Reference:

 

Windows Server 2003 Online Help, Contents, “Active Directory,” “Concepts,” “Understanding Groups,” “Understanding Groups,” “Group Scope.”

Share on Google+Share on LinkedInShare on FacebookShare on RedditTweet about this on TwitterEmail this to someone
cmadmin

ABOUT THE AUTHOR

Posted in Archive|

Comment:

Leave a comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>