DRAG DROP
Your network contains two Active Directory forests named adatum.com and contoso.com. Both forests contain
multiple domains. A two-way trust exists between the forests.
The contoso.com domain contains a domain local security group named Group1. Group1 contains Contoso
\\user1 and adatum\\user1.
You need to ensure that Group1 can only contain users from the contoso.com domain.
Which three actions should you perform?
To answer, move three actions from the list of actions to the answer area and arrange them in the correct
order.
Select and Place:
Answer: 
Explanation:
Domain local Groups that are used to grant permissions within a single domain. Members of domain local
groups can include only accounts (both user and computer accounts) and groups from the domain in which
they are defined.
———– to review. Universal groups can only include objects from its own forest Groups can have — domain
local, built-in local, global, and universal. That is, the groups have different areas in different scopes which they
are valid.
A domain local group is a security or distribution group that can contain universal groups, global groups, other
domain local groups from its own domain, and accounts from any domain in the forest. You can give domain
local security groups rights and permissions on resources that reside only in the same domain where the
domain local group is located. A global group is a group that can be used in its own domain, in member servers
and in workstations of the domain, and in trusting domains. In all those locations, you can give a global group
rights and permissions and the global group can become a member of local groups. However, a global group
can contain user accounts that are only from its own domain. A universal group is a security or distribution
group that contains users, groups, and computers from any domain in its forest as members. You can give
universal security groups rights and permissions on resources in any domain in the forest. Universal groups are
not supported.
Domain local -Groups that are used to grant permissions within a single domain. Members of domain local
groups can include only accounts (both user and computer accounts) and groups from the domain in which
they are defined. Built-in local – Groups that have a special group scope that have domain local permissions
and, for simplicity, are often referred to as domain local groups. The difference between built-in local groups
and other groups is that built-in local groups can’t be created or deleted. You can only modify built-in localgroups. References to domain local groups apply to built-in local groups unless otherwise noted. Global –
Groups that are used to grant permissions to objects in any domain in the domain tree or forest. Members of
global groups can include only accounts and groups from the domain in which they are defined. Universal –
Groups that are used to grant permissions on a wide scale throughout a domain tree or forest. Members of
global groups include accounts and groups from any domain in the domain tree or forest.
Global to universal. This conversion is allowed only if the group that you want to change is not a member of
another global scope group.
Domain local to universal. This conversion is allowed only if the group that you want to change does not have
another domain local group as a member.
Universal to global. This conversion is allowed only if the group that you want to change does not have another
universal group as a member.
Universal to domain local. There are no restrictions for this operation.