Groups... Global, Universal, Local..

TechJunky

Can someone help me out here. I know that the answer is correct, but I am having a hard time grasping why..

From my understanding..

Local group - any domain user can be added to this group.

Global group - only users from that domain can be added to the group.

Universal group - multiple domains needing access to the same resources. Members from any domain can be added to this group.

---

You are the network admin for your company. The network consists of a Single AD Forest with three domains. west.contoso.com, east.contoso.com and contoso.com. Each domain has 1000 users.

Your company has aquired another company that will be connected over a 128k WAN link directly connected to contoso.com.

You create a shared folder on contoso.com called Projects. Several users in each existing domain need access to Projects folder. These users are not in the same group in any domain.
All users who need access to the Projects folder must be able to add,delete, and modify files. Users in the new aquired companies will also require the same access.

You need to create the required AD groups and configure the required permissions for the Projects folder. Your solution must minimize administrative effort as you add new companies on board to your network. You must also minimize WAN traffic.

---

A. Create a single universal security group. Add all users that require access to the folder to the group. Create a domain local group in the contoso.com domain. Add a universal group to the domain local group. Assign permissions to the shared folder using the domain local group.

B. Create a global security group in each domain. Add all users that require access to the folder to the global group in their domain. Create a local group in the contoso.com domain. Add the global groups to the domain local group. Assign permissions to the shared folder using the domain local group.

C. Create a universal security group in each domain. Add all users that require access to the dolder to the group in their domain. Assign permissions to the shared folder by using the universal groups.

D. Create a global security group in each domain. Add all users that require access to the folder to the global group in their domain. Assign permissions to the shared folder by using the global groups.

---

Why wouldn't "A" work?

All need access to the Projects folder. Adding all the users to the universal group would accomplish this. Creating a domain local group and assigning the universal group would allow you to manage all of the universal groups centerally on the contoso.com DC.

"C" isnt correct because why create 3 universal groups on each domain when you can only create one.

"D" isnt correct because you have no central way of managing all domain users and permissions.

Thanks!

dynamik

You're supposed to minimize WAN traffic. Universal Groups rely on the Global Catalog, which will increase WAN traffic if there isn't one at that site. That's where Universal Group Membership Caching comes in.

Also, be sure to remember who can be added to the group as well as where that group can be assigned permissions. Like for your global group definition, remember that only members from that domain can be added to the group, but the group can be assigned permissions in any domain.

Instead of communicating with every domain in the forest to enumerate the universal groups from each, the member list of each universal group is replicated to Global Catalog (GC) servers, making it easier for a domain controller to query one location for all universal groups of which the user is a member.

http://support.microsoft.com/kb/216970

I think it's a bad question since it doesn't specify the sites and GC placement.

Here's a good article on GC placement: http://technet2.microsoft.com/windowsserver/en/library/0e4d2466-68e8-40d8-8c72-099f8bc259ff1033.mspx?mfr=true