Your network contains two Active Directory forests named contoso.com and adatum.com. All
servers run Windows Server 2012 R2. A one-way external trust exists between contoso.com and
adatum.com.
Adatum.com contains a universal group named Group1. You need to prevent Group1 from being
used to provide access to the resources in contoso.com.
What should you do?
A.
Change the scope of Group1 to domain local.
B.
Modify the Allowed to Authenticate permissions in adatum.com.
C.
Enable SID quarantine on the trust between contoso.com and adatum.com.
D.
Modify the Allowed to Authenticate permissions in contoso.com.
Explanation:
* Accounts that require access to the customer Active Directory will be granted a special right called
Allowed to Authenticate. This right is then applied to computer objects (Active Directory domain
controllers and AD RMS servers) within the customer Active Directory to which the account needs
access.
* For users in a trusted Windows Server 2008 or Windows Server 2003 domain or forest to be able
to access resources in a trusting Windows Server 2008 or Windows Server 2003 domain or forest
where the trust authentication setting has been set to selective authentication, each user must be
explicitly granted the Allowed to Authenticate permission on the security descriptor of the computer
objects (resource computers) that reside in the trusting domain or forest.
This question is same as 376 but in 376, answer is B. Why?
I think that correct answer is D because in this matter you don’t permit access to contoso.com
Could it have anything to do with precedent. So, if Contoso.com is there then it has precedent over Adatum.com. If not precedent then perhaps a suggested way of doing it.
Vaya un cachondeo. La respuesta es diferente depende que examen estés leyendo. Misma pregunta y diferentes respuestas. ¿Alguien sabe dónde encontrar la respuesta que Microsoft pide?