Your network contains two Active Directory forests named contoso.com and fabrikam.com. Each forest
contains a single domain.
A two-way forest trust exists between the forests. Selective authentication is enabled on the trust.
Contoso.com contains a group named Group 1.
Fabrikam.com contains a server named Server1.
You need to ensure that users in Group1 can access resources on Server1.
What should you modify?
A.
the permissions of the Group1 group
B.
the UPN suffixes of the contoso.com forest
C.
the UPN suffixes of the fabrikam.com forest
D.
the permissions of the Server1 computer account
Explanation:
Group1 must get the ‘Allowed To Authenticate’ permission on Server1, so I’d go for A, as given.
Answer D may sound tempting, but it speaks of permissions ofthe Server1 computer account.
Reference:
MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012)
pages 643, 644
After you have selected Selective Authenticationfor the trust, no trusted users will be able to access resources
in the trusting domain, even if those users have been given permissions. The users must also be assigned
the Allowed To Authenticate permission on the computer object in the domain.
1. Open the Active Directory Users And Computers snap-in and make sure that Advanced Features is
selected on the View menu.
2. Open the properties of the computer to which trusted users should be allowed to authenticatethat is, the
computer that trusted users will log on to or that contains resources to which trusted users have beengiven
permissions.
3. On the Security tab, add the trusted users or a group that contains them and select the Allow check
box for the Allowed To Authenticate permission.
Correct answer is D.
This is similar to assigning NTFS permissions on a folder. When you add a group to a folder and assign a permission to that group, the ACL of the folder is being updated, not the group.
For this scenario, it is a similar set of circumstances. The group must be given the Allowed to Authenticate permission on the server it needs access to. This is similar in scope to assigning Read or Write permissions to an NTFS folder. Assignment of this permission results in a modification to the permissions of the Server1 computer account.
0
0
The sounding of the answers are not easy to get a hold on here. I`m not a native english speaker, so I struggle to see the difference between “permissions for a Group/computer” and “permissions of a Group/computer”.
If it was “Permissions for a Group/computer” I`d definitely og for A.
With this set of answers I not sure, but I think I`ll still go for answer A as the computer account doesn`t need other persmissions – It`s the Group that needs more permissions to connect to the computer. In other words; after the configuration is done the computer will have the same permissions as before.
0
0