Your network contains two Active Directory forests named contoso.com and adatum.com.
All servers run Windows Server 2012.
A one-way external trust exists between contoso.comand adatum.com.
Adatum.com contains a universal group named Group1.
You need to prevent Group1 from being used to provide access to the resources in contoso.com.
What should you do?
A.
Change the scope of Group1 to domain local.
B.
Modify the Allowed to Authenticate permissions inadatum.com.
C.
Enable SID quarantine on the trust between contoso.com and adatum.com.
D.
Modify the Allowed to Authenticate permissions incontoso.com.
Explanation:
* Accounts that require access to the customer Active Directory will be granted a specialright
called Allowed to Authenticate. This right is then applied to computer objects (Active Directory domain
controllers and AD RMS servers) within the customerActive Directory to which the account needs access.
* For users in a trusted Windows Server 2008 or Windows Server 2003 domain or forest to be able to access
resources in a trusting Windows Server 2008 or Windows Server 2003 domain or forest where the trust
authentication setting has been set to selective authentication, each user must be explicitly granted the Allowed
to Authenticate permission on the security descriptor of the computer objects (resource computers) that reside
in the trusting domain or forest.
http://technet.microsoft.com/en-us/library/cc794747(v=ws.10).aspx
Shouldn’t the answer be D?
I believe the “allow to authenticate” permission should be modified in the trusting forest which is contoso.com (not the trusted one).
Answer is D.
I think is D
can anybody confirm it?
its b
https://www.youtube.com/watch?v=4M9W33QkCMQ
After watch the video, I agree. It’s B
No the based on the video as well as MS documentation the permission must be given on the trusting domain for the group from the trusted domain. The correct answer is D.
y can modify the allowed to authenticate on the users and computers, y need to click on the view->advanced settings
than go to computer container->security
It’s A. You can’t use a domain local group outside it’s own domain.
“allowed to authenticate” is a per user setting. A user in group1 could still be allowed to authenticate and access resources in the other domain, just group1 can’t be used.
I think robber is right, change the scope to domain local and it’s done. Domain local can be used only in local domain.
I would go with A.
My first think was – change group to local and access will prevent.
And it is a simly way to do -so why not A ??
They are not talking about a Forest they are talking about a trust relationship
I don’t think its A but I do think its either B or D but I have no way to test it out…Hmmmmm
I’m thinking D… Based on the TechNet from Michael in 1st post
its D as well. from a tech net article “To enable access to resources over an external trust or forest trust that is set to selective authentication, complete the following procedure by using Active Directory Users and Computers from the trusting domain. Pay attention to the last 5 works or so. What an old teacher told me as well….
When you think of trust relationships thing this way… Trusting ME and Trusted by ME
IN this case the Trusting ME aka the domain you need access to resources
I agree with Pronost. The answer is D.
Robber is 100% correct.
“It’s A. You can’t use a domain local group outside it’s own domain.
“allowed to authenticate” is a per user setting. A user in group1 could still be allowed to authenticate and access resources in the other domain, just group1 can’t be used”
Allowed to authenticate is infact a per user setting. We want to disable access per group1 not per user.
You can convert the universal group to a domain local group killing access to the other domain.
https://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx