Your company has two divisions named Division1 and Division2. The network contains an Active Directory domain named contoso.com. The domain contains two child domains named divisionl.contoso.com and division2.contoso.com. The company sells Division1 to another company. You need to prevent administrators in contoso.com and division2.contoso.com from gaining administrative access to the resources in division1.contoso.com. What should you recommend?
A. Create a new tree in the forest named contoso.secure. Migrate the resources and the accounts in division1.contoso.com to contoso.secure.
B. On the domain controller accounts in division1.contoso.com, deny the Enterprise Admins group the Allowed to Authenticate permission.
C. Create a new forest and migrate the resources and the accounts in division1.contoso.com to the new forest.
D. In division1.contoso.com, remove the Enterprise Admins group from the Domain Admins group and remove the Enterprise Admins group from the access control list (ACL) on the division1.contoso.com domain object.