|
Home > Archive > 70-068 enterprise > November 2000 > Ian's Q114 why is what it is?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Ian's Q114 why is what it is?
|
|
|
| Why is the answer "A"?
My answer would have been "c"
114. Your network consists of three domains. The Corp Domain contains all user accounts. The East and West domain trust the Corp domain. All users use Win NT Wrksts cpu's. You want to configure the network so that any cuser installing a new Win NT Cpu can join any domain without any configuration needed from an administrator. How should you do this?
A) Modify the user rights in all 3 domains so that the Corp/Domain useres global group can add cpu's to any of the domains.
B) Modify the user rights in all 3 domains so that the Corp/Domain useres local group can add cpu's to any of the domains.
C) Modify the user rights in the Corp domain so that the users local group can add computers to the Corp domain.
D) Modify the user rights in the Corp domain so that the Domain users global group from each domain can add cpu's to the Corp domain. | |
|
| In this case you have 'computer accounts' vs. 'user accounts'
C: would not answer the question as the users need to add computer accounts to the resouce domains, not just the Corp domain. These users then sit at the computers in the resource domain and log in using thier Corp. Domain User Accnt.
B: only works if you then add the Corp global group to these modified local groups.
A is the best answer as any user known as 'Corp\username' and thus a member of 'Corp\Domain Users' and 'Corp\Domain Users' have permision, originating with the established trust, to add COMPUTER accts to and trusting domain.
This is yet anouther one probing Pass through authentification, trusts, and thier functional relationship. It is related to Q77, and other Q's discussed in other recent posts. Good luck!
------------------
Know why the other
answers are wrong | |
|
| Ok. I understand the trust issue but what confuses me is the fact that I would need to change the user rights in all 3 domains (corp, east, west).
I would figure just make the change at the corp domain and do nothing else. After all the all the users accounts are in the corp domain, so again if all the users are in corp and no users are in East or West, why then modify all 3 domains?
-kidg
| |
|
| Think of it this way,
A) We need the ability for any Corp\username user to add computers to any domain
B) Usually, only the local domain administrator can add computer accounts.
C) A master domiain administrator can be GIVEN the permission to add computers to trusting (resouce) domains by adding the Master\global admin group to the local adimin groups of trusting domains
D) you can give global groups permissions, it is frowned upon but doable.
In this case each domains administrator, in effect, says "I give any user who is a member of the Corp Global Group 'Domain Users' permission to add a computer account to my Domain"
This question is written in bad form, but
B: Modifiing any local group only helps if you add a user or global group to it.
C: Does not allow users to add to other non-corp domains
D: Same a C
'A' wins by default, even thought the solution is bad form
Least this is my view <: | |
|
| OH!!!!!!!!!!! I get it now!!!!!!! That's right the local domain admin add cpu's and users to their own local domain. Nice way of explaining it to me.
Thanks cltrin
-kidg
|
|
|
|
|