MCSA Exams Altering Group Scope with the resources
5. You are operating an enterprise running Windows Server 2008 at the Windows Server 2008 native level. Three different departments within your business need to access resources within a specific domain. In total, these departments represent a total of more than 3,000 users, or approximately 1,000 users in each department. You want to create a group struc- ture for these users with the least amount of administrative overhead. What should you do?
A. Create a global group for each department, and then assign each global group permis- sions to the resources in your domain.
B. Create global groups for each of the departments, and add those CompTIA global groups to a single universal group. Afterward, add those users to a domain local group on the domain with the resources, and assign permission to the domain local group.
C. Create a universal group for each department, and assign permissions to the universal group. Afterward, create a domain local account on the domain with the resources,
and add the universal groups to that domain.
D. Add all users who need access to the resources to a universal group, and then apply permissions to the universal group.
6. When planning for best security practices, it’s best to assign permissions to groups at what group scope level?
A. Local
B. Global
C. Universal
D. Domain local
7. As a newly appointed senior architect, the chief technology officer for your company has tasked you with creating a new OU strategy for your infrastructure. From what you know
of OU strategy, which of the following is not appropriate criteria for design convention?
A. Location
B. Business function
C. Title
D. Object type
8. Your organization consists of 10 Active Directory domains that are spread throughout 10 departments, with each department being placed in its own domain. The entire forest and
all its domains are running at the Server 2008 functional level. In each of these domains, a department head needs to be able to control the users within the Users OU that is unique on each domain. Recently, the CEO has asked you to place the department heads Network+ Certification into their own department called Upper Management. The Upper Management department should be able to control all users but not be able to make domain-wide changes or administer enterprise-level solutions. What should you do to facilitate this requirement?
A. Create a universal group for the department heads called DepartmentHeads, and del- egate the Users OU for each domain to the DepartmentHeads group.
B. Create a global group for the department heads called DepartmentHeads, and delegate the Users OU for each domain to the DepartmentHeads group.
C. Create a domain local group for the department heads called DepartmentHeads, and delegate the Users OU for each domain to the DepartmentHeads group.
D. Create a DepartmentHeads OU, and delegate control of the Users OU for each domain to the DepartmentHeads OU.
E. Implement a group policy that enables department heads to have control over all users.
Answers to Review Questions
5. B. By placing each department into a global group, you are compartmentalizing your departments for best practices. Afterward, when you create a universal group, you are cre- ating a group that can be read throughout the entire forest. Then, when you add this group to the domain local group on the domain with the resources, you are localizing the permis- sions associated with this domain.
6. D. Domain local groups are the best area to set permissions, because the scope is the least broad. By having a narrow scope, you can take extra security precautions as well as imple- ment additional checks and balances to make sure your permissions are not applied to too many users or objects.
7.C. Organization by title can lead to a lot of confusion. Say your enterprise has 12 depart- ments, and each of these departments has managers. If these managers were placed into one OU to have permissions assigned, it could get very confusing when you start to apply the sales managers permissions to use the die cutter in the engineering room because of lack of OU scope design.
8. A. By creating a universal group, you are creating a group that is visible to the entire forest. Then, by delegating the OU to the users, you are not giving the users enterprise- or domain-level authority, but they can still administer the users in their own departments.
Processing your request, Please wait....
