In a multi-domain Windows 2000 Active Directory forest, you want to use a single security group to organise and manage users from several domains who perform similar job tasks so that you can assign permissions once to that group. What type of group should you create to contain users from multiple domains?

Introduction / Context:
Active Directory in Windows 2000 supports different group scopes to help administrators manage permissions in multi domain environments. Choosing the correct group scope is critical for flexible and scalable access control. When users with the same job role exist in multiple domains, you may want to place them into one group and then assign permissions to that group rather than to individual users across domains.

Given Data / Assumptions:

• The environment is a Windows 2000 Active Directory forest with multiple domains.
• Users performing similar tasks exist in different domains.
• You want to use a single group to organize these users and assign permissions.
• The group must be able to contain members from multiple domains.

Concept / Approach:
Windows 2000 defines three main group scopes: global, domain local and universal. Global groups primarily contain users from the same domain and can be granted permissions in any domain. Domain local groups can include members from any trusted domain but their permissions are applied only within their own domain. Universal groups can include users and global groups from any domain in the forest and can be granted permissions anywhere in the forest. For a single group that can include users from multiple domains, the universal group scope is the appropriate choice.

Step-by-Step Solution:
Step 1: Identify the requirement that the group must contain users from several domains.Step 2: Recall that global groups can only contain accounts from their own domain, so they do not satisfy the requirement alone.Step 3: Understand that domain local groups can contain members from multiple domains but are used to assign permissions within a single domain, not to act as a single organizing group for the entire forest.Step 4: Determine that universal groups are designed exactly for forest wide membership, allowing accounts from any domain in the forest.Step 5: Recognize that built in special groups such as Everyone or Authenticated Users are not suitable as custom security groups for specific job roles.Step 6: Conclude that a universal group is the best choice for organizing users from multiple domains.

Verification / Alternative check:
Best practice in multi domain environments often follows the A G U D L P model: place user Accounts in Global groups, nest them into Universal groups (where appropriate), then place universal groups into Domain Local groups and assign Permissions. In this pattern, universal groups serve as forest wide containers for similar users. This aligns perfectly with the requirement in the question to use a single group across domains.

Why Other Options Are Wrong:
Global groups cannot include users from different domains; they are limited to accounts in their own domain. Domain Local groups can include members from multiple domains but are intended for resource access in a single domain rather than for global organisation of users. Built in special groups are predefined and not meant to represent specific job roles or to be managed as custom security groups.

Common Pitfalls:
Many students confuse where group membership comes from versus where permissions are assigned. It is easy to mix up the rules for global, domain local and universal scopes. Remembering that universal groups are forest wide in both membership and permission assignment helps avoid these mistakes. Administrators should also consider replication impact, because membership changes in universal groups are replicated to global catalog servers throughout the forest.

Final Answer:
The correct group type to organise users from multiple domains is a Universal group.