Your network contains an Active Directory Domain Services (AD DS) forest named contoso.com. The forest root domain contains a server named server1.contoso.com.
A two-way forest trust exists between the contoso.com forest and an AD DS forest named fabrikam.com. The fabrikam.com forest contains 10 child domains.
You need to ensure that only the members of a group named fabrikam\Group1 can authenticate to server1.contoso.com.
What should you do first?
- A. Add fabrikam\Group1 to the local Users group on server1.contoso.com.
- B. Enable SID filtering for the trust.
- C. Enable Selective authentication for the trust.
- D. Change the trust to a one-way external trust.
C. Enable Selective authentication for the trust.
The suggested answer is correct
If you choose selective authentication, users in the trusted forest are not considered authenticated users in the trusting forest. Instead, you must explicitly designate the computers to which the users can authenticate by granting them the Allowed to Authenticate permission on those computers. Modifying the security settings of the user account has no bearing on this behavior. Disabling SID filtering does not allow User1 to authenticate to Server1, and it violates the principle of least privilege. Changing trust relationship mode to forest-wide resolves the issue, but it violates the principle of least privilege.
empee1977
Highly Voted 1 year, 10 months ago
Selected Answer: C
Selective authentication is a feature that allows administrators to control which users from a trusted domain can access resources in a trusting domain. To meet your requirement of allowing only members of fabrikam\Group1 to authenticate to server1.contoso.com, you would need to enable selective authentication for the trust between contoso.com and fabrikam.com and then configure it to allow authentication for only members of fabrikam\Group1. This way, only members of fabrikam\Group1 would be able to access server1.contoso.com, while other users from the fabrikam.com forest would be denied access.
upvoted 8 times
monisshk
Most Recent 4 months, 2 weeks ago
Selected Answer: C
This question is valid Exam date - 27-07-2024
upvoted 2 times
MR_Eliot
1 year, 2 months ago
Selected Answer: C
C for sure. no explanation needed.
upvoted 3 times
Returnerwesley
1 year, 6 months ago
the answer should be A cause we only need to give Group1 the permission
upvoted 2 times
JoeBob8912
3 months, 1 week ago
With a 2 way forest trust, all users in any of the domains and child domains of each forest can already authenticate with each other by default. So, we don't need to give anyone any more permissions, we just need to strip away permission from anyone that is not Group 1. To do that we have to enable selective authentication.
upvoted 1 times
leegend
1 year, 6 months ago
Got this question 28-5-23
upvoted 1 times
syu31svc
1 year, 9 months ago
Selected Answer: C
https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/authn/trusts/netid-trust-implications/#:~:text=About%20Selective%20Authentication&text=Administrators%20must%20explicitly%20grant%20the,those%20users%20to%20login%20to. By choosing ‘selective authentication’, users from the trusted domain are not members of the dynamic ‘Authenticated Users’ group. Administrators must explicitly grant the ‘allowed to authenticate’ permission on the AD computer object to the users/groups in the trusted domain for each computer object (in the trusting domain) you want to allow those users to login to. Answer is C
upvoted 4 times
raulgar
1 year, 10 months ago
I think answer A is more accurrate
upvoted 3 times
Jawad1462
2 years, 1 month ago
Selected Answer: C
Is the correct answer
upvoted 4 times
vaaws
2 years, 2 months ago
C Selective authentication restricts access over an external or forest trust to only those users in a trusted domain or forest who have been explicitly given authentication permissions to computer objects (resource computers) residing in the trusting domain or forest. This authentication setting must be manually enabled. Note: When a two way Forest Trust is created between Forest A and Forest B, all domains in Forest A will trust all domains in Forest B and vice versa.
upvoted 4 times
ScarfaceRecords
2 years, 2 months ago
the answer should be A
upvoted 4 times
edykss
2 years, 2 months ago
Why A? C - Selective authentication in a forest trust enables you to limit which users and groups from the trusted domain are able to authenticate.
upvoted 3 times
SFM1993
1 year, 8 months ago
I'd say A by the fact that we're only told that group1 needs to be able to authenticate to server1, but not told that all other authentications from the trusted forest should be disallowed
upvoted 4 times
RungBaaz
2 years, 2 months ago
Should Be A.
upvoted 4 times