DRAG DROP
Your network contains two Active Directory forests named adatum.com and contoso.com. Both forests contain
multiple domains. A two-way trust exists between the forests.
The contoso.com domain contains a domain local security group named Group1. Group1 contains contoso
\user1 and adatum\user1.
You need to ensure that Group1 can only contain users from the contoso.com domain.
Which three actions should you perform?
To answer, move three actions from the list of actions to the answer area and arrange them in the correct
order.
Answer: 
Explanation:
The correct answer is below
Remove adatum\user1 –> Convert Group1 to G – Convert Group1 to U
can not convert local to global…
My proposition is:
1. remove adatum\user1 (can’t convert if you have user from another local group)
2. convert to Universal (you need use global group but look at first line)
3. convert to global (it takes off access from another domains)
Am I right ?
I have remove adatum > convert to U > convert to G
TestUser is correct… DL can only convert to U. U can convert to G and DL
Answer provided is correct.
http://technet.microsoft.com/en-us/library/dn579255.aspx
First we remove user.
Domain Local – Can be converted to Universal scope if the group does not contain any other Domain Local groups
So we require to convert to Universal Scope
Then:
Universal – Can be converted to Global scope if the group does not contain any other Universal groups
Answer is wrong because there’s no need to remove the contoso user. You only have to remove the adatum user.
Hey guys, why the need of this conversion, from Universal to Global? Anyway, I know that the correct answer is:
Remove adatum users
Convert to Universal
Convert to Global
bc universal can contain users from other domains, global can’t
Because we cannot convert Donain Local to Global, only through Universal
agree 100%
La repuesta correcta es :
Eliminar adatum\user1
Convertir Grupo a Universal
Convertir Grupo a Global
Los Grupos Universales pueden ser convertidos tanto en Globales, como Locales.
Los otros tipos de grupo solo pueden ser convertidos en Universales y de Universales a cualquier otro.
I think I understand now..
We need to ensure that Only Users from contoso.com can be members.
Group1 (Scope:Domain Local)
Members :: Contoso\User1,Adatum\User1
Domain local – Group can include as members
Accounts from any domain
Global groups from any domain
Universal groups from any domain
Domain local groups but only from the same domain as the parent domain local group
Domain Local – Group Conversion
Universal (as long as no other domain local groups exist as members)
Global – Group can include as members
Accounts from the same domain as the parent global group
Global groups from the same domain as the parent global group
Global – Group Conversion
Universal (as long as no other domain local groups exist as members)
Universal (as long as it is not a member of any other global groups)
We know we can’t convert the Domain Loacal Group to a Global Group without an additional step.
So the answer is actually correct.
Why? Because a domain local group cannot be coverted to a global group!
Remove the adatum\user1 From the domain local group.
Convert the group to universal. (Because you can’t convert it a domain Global)
Now Covert the group to global from universal.(Now you can convert the group because this conversion is supported!.
Universal -> Global Conversion
Global (as long as no other universal groups exist as members)
See this link.. it makes sense.
https://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx
Microsoft wants you to understand the scope of groups and how conversions between group scopes are supported.
I hope this post helps someone 🙂