Your network contains two Active Directory Domain Services (AD DS) forests named contoso.com and fabrikam.com.
Contoso.com contains a server named Server1. Fabrikam.com contains a user named User1.
You configure a one-way trust relationship in which contoso.com trusts fabrikam.com and set authentication mode to selective.
You need to ensure that User1 can authenticate to Server1. The solution must follow the principle of the least privilege.
What should you do?
- Disable the SID filtering of the trust relationship.
- Modify the security settings for the computer account of Server1.
Modify the security settings for the computer account of Server1.
If you choose selective authentication, users in the trusted forest are not considered authenticated users in the trusting forest. Instead, you must explicitly designate the computers to which the users can authenticate by granting them the Allowed to Authenticate permission on those computers. Modifying the security settings of the user account has no bearing on this behavior. Disabling SID filtering does not allow User1 to authenticate to Server1, and it violates the principle of least privilege. Changing trust relationship mode to forest-wide resolves the issue, but it violates the principle of least privilege.
Create trust relationships - Training | Microsoft Learn