IT Questions and Answers :)

Thursday, May 16, 2019

Which of the following is NOT a valid Active Directory group scope?

Which of the following is NOT a valid Active Directory group scope?

  • Distribution
  • Domain Local
  • Global
  • Universal 
Which of the following is NOT a valid Active Directory group scope?

EXPLANATION

Group Scopes

The different group scopes make it possible for groups to be used differently to assign permissions for accessing resources. A group’s scope defines the place in the network where the group will be used or is valid. This is the degree to which the group will be able to reach across a domain, domain tree, or forest. The group scope also determines what users can be included as group members.
In Active Directory, there are three different group scopes:

  • Global groups: Global groups are containers for user accounts and computers accounts in the domain. They assign permissions to objects that reside in any domain in a tree or forest. Users can include a global group in the access control list (ACL) of objects in any domain in the tree/forest. A global group can, however, only have members from the domain in which it is created. What this means is that a global group cannot include user accounts, computer accounts, and global groups from other domains. The domain functional level set for the domain determines which members can be included in the global group.
    • Windows 2000 Mixed: Only user accounts and computer accounts from the domain in which the group was created can be added as group members.
    • Windows 2000 Native / Windows Server 2003: User accounts, computer accounts, and other global groups from the domain in which the group was created can be added as group members.
  • Domain Local groups: Domain local groups can have user accounts, computer accounts, global groups, and universal groups from any domain as group members. However, only domain local groups can assign permissions to local resources or to resources that reside in the domain in which the domain local group was created. This means that only domain local groups in the ACL of objects that are located in the local domain can be included. The domain functional level set for the domain determines which members can be included in the domain local group.
    • Windows 2000 Mixed: User accounts, computer accounts, and global groups from any domain can be added as group members.
    • Windows 2000 Native / Windows Server 2003: User accounts, computer accounts, global groups, and universal groups from any domain can be added as group members. Other domain local groups from the same domain as group members can also be added.
  • Universal groups: Universal groups can have user accounts, computer accounts, global groups, and other universal groups from any domain in the tree or forest as members. This basically means that users can add members from any domain in the forest to a universal group. Users can use universal groups to assign permissions to access resources that are located in any domain in the forest. Universal groups are only available when the domain functional level for the domain is Windows 2000 Native or Windows Server 2003. Universal groups are not available when domains are functioning in the Windows 2000 Mixed domain functional level. Users can convert a universal group to a global group or to a domain local group if the particular universal group has no other universal group as a group member. When adding members to universal groups, it is recommended to add global groups as members and not individual users.

Share:

0 comments:

Post a Comment

Popular Posts