In classic Windows NT domain administration, which statement about a local group account that is created by User Manager for Domains is accurate and practically useful for access control planning?

Difficulty: Easy

Correct Answer: The account cannot be used in trusting domains

Explanation:


Introduction / Context:
Windows NT 4.0–era domains differentiate among user accounts, global groups, and local groups (domain local groups). Understanding the scope of each object is critical when you design permissions across multiple domains with one-way or two-way trusts. This question focuses on what you can and cannot do with a local group that you create in User Manager for Domains.


Given Data / Assumptions:

  • Environment uses classic Windows NT domain model (pre–Active Directory).
  • Local groups are created within a resource domain to grant permissions on resources in that same domain.
  • Trusts may exist to allow identities from other domains to be recognized.


Concept / Approach:

In NT 4.0, global groups = collect users from their own account domain and local groups = granted permissions on resources within the local (resource) domain. The well-known strategy is “put Users into Global Groups; put Global Groups into Local Groups; assign Permissions to Local Groups.” Local groups do not travel across domain boundaries; their scope is confined to the domain where they are defined.


Step-by-Step Solution:

Identify the object: a local group created in User Manager for Domains.Recall scope: a local group's scope is the local (resource) domain only; it cannot be used directly in trusting domains.Check alternatives: global groups can be members of local groups (not the reverse), and users are not “auto-added” to Domain Users unless they are user accounts, not local groups.Conclude: the true statement is that the local group cannot be used in trusting domains.


Verification / Alternative check:

Documentation of NT 4.0 domain scopes confirms that local groups are not assignable outside their domain. Cross-domain access is achieved by adding global groups from the trusted (account) domain into local groups on the resource domain, not by reusing local groups elsewhere.


Why Other Options Are Wrong:

Added to global groups: Invalid; membership direction is global → local, not local → global.

Automatically added to Domain Users: That applies to new user accounts, not to groups.

Must be added to a local group: A local group is a local group; the phrasing is incorrect and circular.

None of the above: Incorrect because one statement is correct.


Common Pitfalls:

Confusing group scopes with Active Directory universal groups; assuming local groups can span domains like AD groups can.


Final Answer:

The account cannot be used in trusting domains

More Questions from Windows NT

Discussion & Comments

No comments yet. Be the first to comment!
Join Discussion