Hi,
I am working on Active Directory Risk Assessment program one of the recommendation is "Disable cross forest TGT delegation"
Here is the explanation provided by MS
Cross forest TGT delegation is currently allowed for one or more forest trusts. When full delegation is enabled for Kerberos on a server, the server can use the delegated ticket-granting ticket (TGT) to connect as the user to any server, including those across a one way trust. In Windows Server 2012, a trust across forests can be configured to enforce the security boundary by disallowing forwarding TGTs to enter other forests.
I entered the below command received the error message. Please assist.
I logged as domain Administrator
netdom trust AD.COM /domain:ABC.net /enabletgtdelegation:no
Access is denied.
The command failed to complete successfully.