Your network contains two Active Directory forests named contoso.com and fabrikam.com. Each forest
contains one domain. A two-way forest trust exists between the forests.
You plan to add users from fabrikam.com to groups in contoso.com.
You need to identify which group you must use to assign users in fabrikam.com access to the shared folders in
contoso.com.
To which group should you add the users?
A.
Group 1: Security Group – Domain Local.
B.
Group 2: Distribution Group – Domain Local.
C.
Group 3: Security Group – Global.
D.
Group 4: Distribution Group – Global.
E.
Group 5: Security Group – Universal.
F.
Group 6: Distribution Group – Univeral.
Explanation:
This one is a bit tricky. According to Microsoft’s advice we should put Users Accounts into a Global Group, then
add the Global Group to a Universal Group, and then add the Universal Group toa Domain Local group which
is used to assigned permissions to. Microsoft calls this AGUDLP. See thereference below.
So, the users need to be put in a Global Group (answer C (“Group 3: Security Group – Global”)), but it’s the
Universal Group that travels across the forest trust (answer E (“Group 5: Security Group – Universal”)).
Another way of looking at the question might be that they’re asking what kind of group actually is assigned
access to the shared folders. That would be a Domain Local security group, being answer A (“Group 1: Security
Group – Domain Local”).
Because of Microsoft’s advice I choose answer C (“Group 3: Security Group – Global”). But it could just
as well be A or E.
Again, it’s tricky one.
Reference:
http://technet.microsoft.com/en-us/library/cc772808.aspx
Best practices for using security groups across forests
By carefully using domain local, global, and universal groups, administrators can more effectively control
access to resources located in other forests. Consider the following best practices:
To represent the sets of users who need access to the same types of resources, create role-based global
groups in every domain and forest that contains these users. For example, users in the Sales Department in
ForestA require access to an order-entry application that is a resource in ForestB. Account Department
users in ForestA require access to the same application, but these users are in a different domain. In
ForestA, create the global group SalesOrder and add users inthe Sales Department to the group.
Create the global group AccountsOrder and add usersin the Accounting Department to that group.
To group the users from one forest who require similar access to the same resources in a different forest,
create universal groups that correspond to the global group roles. For example, in ForestA, create a
universal group called SalesAccountsOrders and add the global groups SalesOrder and
AccountsOrder to the group.
To assign permissions to resources that are to be accessed by users from a different forest, create
resource-based domain local groups in every domain and use these groups to assign permissions
on the resources in that domain. For example, in ForestB, create a domain local group called
OrderEntryApp. Add this group to the access controllist (ACL) that allows access to the order entry
application, and assign appropriate permissions.
To implement access to a resource across a forest, add universal groups from trusted forests to the
domain local groups in the trusting forests. For example, add the SalesAccountsOrders universal group
from ForestA to the OrderEntryApp domain local group in ForestB.