Windows NT domain trusts: TUNA trusts BASS (one-way). You want user Lisa from BASS to administer the TUNA domain during your absence. Which group configuration enables this cross-domain administration correctly?

Introduction / Context:
Classic Windows NT domain administration employs well-known group scoping rules and trust relationships. With a one-way trust where TUNA trusts BASS, TUNA may assign permissions to security principals from BASS. Using the correct combination of global and local groups is crucial for least privilege and manageability.

Given Data / Assumptions:

• One-way trust: TUNA trusts BASS (TUNA accepts BASS identities).
• Goal: allow BASS\Lisa to administer TUNA.
• We must respect NT group scope semantics (Global vs Local groups).

Concept / Approach:
Global groups contain user accounts from their own domain; local groups (on a member server or domain local in later models) grant rights on resources. Best practice: put users into a global group in their account domain, then add that global group to a local Administrators group in the resource domain. Because TUNA trusts BASS, TUNA can place a BASS global group into its local Administrators.

Step-by-Step Solution:

Verification / Alternative check:
Log in as BASS\Lisa and open Computer Management on a TUNA server; verify administrative tasks are permitted. Audit group membership to confirm effective rights.

Why Other Options Are Wrong:

• Adding foreign users directly to Domain Admins or using local groups in the wrong domain violates scope rules or least privilege.
• Nesting a BASS local group into a TUNA global group is not valid; global groups cannot contain accounts from other domains.

Common Pitfalls:
Confusing global vs local scope nesting rules and granting Domain Admins unnecessarily, which over-privileges the user beyond the specific administrative need.

Final Answer:
Create a global group in BASS (Gbl-Admins) containing Lisa, and add BASS\Gbl-Admins to the local Administrators group in TUNA