Posted on 2006-07-12
This is a MS study guide question...
There is a network consisting of several domians in a single AD forest Abc.com. the fucntional level for all child domains is Win2000 mixed
A server named Xyz.com runs win 2003. You share a folder named SalesDoc on this server. In the properties of the SalesDoc you give Full control to a UNIVERSAL group caled U_Sales in Abc.com.
It shows a pic with the effective perms for U_Sales showing it has full control
It goes on to say
In each domain in the forst, you make a global group called G_Sales, whose members consist of users in that domains department. You add EVERY G_Sales group to the U_Sales group
A user is a member of G_Sales in Child1.Abc.com. And he says he cannot get access to SalesDocs.
It shows the effective perms of the user for SalesDocs, and NOTHING is checked.
It says says one COMPLETE solution is change the group scope of the U_Sales to Domain Local.
Now, I can kind of understand why that would work, as the user is in G_Sales, which in turn is a memeber of U_sales, and therefore a domain local group would allow access
BUT it says another COMPLETE solution is just give the G_Sales group in Child1.Abc.com full control.
My questions are: -
How can you just give allow full control to G_Sales in Child1.Abc.com and expect that to work. when we are told the functional level for child domains is 2000 mixed i.e. universal groups cannot be used ?
Also how would the user still get access by just changing the group to a domain local group if the perms showed nothign was checked