Identity with Windows Server 2016 — Question 190

Your network contains an Active Directory domain named contoso.com. The domain functional level is Windows Server 2012 R2.
You need to secure several high-privilege user accounts to meet the following requirements:
✑ Prevent authentication by using NTLM.
✑ Use Kerberos to verify authentication requests to any resources.
✑ Prevent the users from signing in to a client computer if the computer is disconnected from the domain.
What should you do?

Answer options

• A. Create a universal security group for the user accounts and modify the Security settings of the group.
• B. Add the users to the Windows Authorization Access Group group.
• C. Add the users to the Protected Users group.
• D. Create a separate organizational unit (OU) for the user accounts and modify the Security settings of the OU.

Correct answer: C

Explanation

The correct answer is C, as adding users to the Protected Users group enforces Kerberos authentication and disables NTLM for those accounts. Options A and D do not specifically address the requirements related to NTLM and Kerberos, while option B does not provide the necessary restrictions on sign-in for offline scenarios.