What should you recommend?

Your company has two divisions named Division1 and Division2.
The network contains an Active Directory domain named contoso.com. The domain contains
two child domains named divisionl.contoso.com and division2.contoso.com.
The company sells Division1 to another company.
You need to prevent administrators in contoso.com and division2.contoso.com from gaining
administrative access to the resources in divisionl.contoso.com.
What should you recommend?

Your company has two divisions named Division1 and Division2.
The network contains an Active Directory domain named contoso.com. The domain contains
two child domains named divisionl.contoso.com and division2.contoso.com.
The company sells Division1 to another company.
You need to prevent administrators in contoso.com and division2.contoso.com from gaining
administrative access to the resources in divisionl.contoso.com.
What should you recommend?

A.
Create a new tree in the forest named contoso.secure. Migrate the resources and the
accounts in divisionl.contoso.com to contoso.secure.

B.
On the domain controller accounts in divisionl.contoso.com, deny the Enterprise Admins
group the Allowed to Authenticate permission.

C.
Create a new forest and migrate the resources and the accounts in divisionl.contoso.com
to the new forest.

D.
In divisionl.contoso.com, remove the Enterprise Admins group from the Domain Admins
group and remove the Enterprise Admins group from the access control list (ACL) on the
divisionl.contoso.com domain object.



Leave a Reply 1

Your email address will not be published. Required fields are marked *


MountSwolemore

MountSwolemore

Correct. There’s no way to stop Enterprise Admins from doing what they want in their own forest. Only solution is to set up another forest.