Your network consists of 20 Active directory domains in a single forest. The functional level of the
forest is Windows Server 2008 R2. You company has 20 departments. A separate domain exists for
each department. Each domain has an organizational unit (OU) named DepartmentUsers that
contains the respective domain users. Each domain has its own IT department. You need to plan the
consolidation of all the IT departments into a single IT department. The solution must meet the
following requirements:
IT administrators must be denied from making domain-wide changes.
IT administrators must be able to administer users in all departments.
Your solution must use the minimum amount of administrative effort.
What should you include in your plan?
A.
In one domain, create a universal group for all the IT administrators. Add the universal group to
the Domain Admins group in each domain.
B.
In one domain, create a global group for all the IT administrators. Add the global group to the
Domain Admins group in each domain.
C.
In one domain, create a universal group for all the IT administrators. Delegate administration of
the DepartmentUsers OU in each domain to the universal group.
D.
In each domain, create a domain local group for the IT administrators. Delegate administration of
the DepartmentUsers OU in each domain to the corresponding domain local group.
Explanation:
To consolidate all the IT departments into a single IT department, you need to create a Universal
group for all the IT administrators in a domain. The Universal groups allow users (and groups) from
multiple domains to have membership in a single group that is available throughout the Active
Directory forest. This is useful in a forest with multiple Active Directory domains to simplify resource
access permissions. If users or groups from different domains need access to resources that are
located in multiple domains, a universal group can be used to allow for that access. Next you needto delegate administration of the DeptUsersOU in each domain to the common group (Universal
group) that you have created for IT administrators so that IT administrators are able to administer
users in all departments. You cannot add that group \9Universal group that you have created) to the
Domain Admins group in each domain because you don’t want ID administrators to make domainwide changes.
Universal Group Membership Caching: Lessons Learned the Hard Way
http://www.informit.com/articles/article.aspx?p=415792