You can use the Active Directory Domains and Trusts snap-in to specify the scope of authentication for users that are authenticating through external trusts or forest trusts.
Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.
To select the scope of authentication using the Windows interface |
-
Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts, click Start, click Administrative Tools, and then click Active Directory Domains and Trusts.
-
In the console tree, right-click the domain node for the domain that you want to administer, and then click Properties.
-
On the Trusts tab, under either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts), do one of the following:
- To select the scope of authentication for
users that are authenticating through an external trust, click the
external trust that you want to administer, and then click
Properties. On the Authentication tab, click either
Domain-wide authentication or Selective
authentication.
- To select the scope of authentication for
users that are authenticating through a forest trust, click the
forest trust that you want to administer, and then click
Properties. On the Authentication tab, click either
Forest-wide authentication or Selective
authentication.
- To select the scope of authentication for
users that are authenticating through an external trust, click the
external trust that you want to administer, and then click
Properties. On the Authentication tab, click either
Domain-wide authentication or Selective
authentication.
Additional considerations
- To perform this procedure, you must be a
member of the Domain Admins group or Enterprise Admins group in
Active Directory Domain Services (AD DS), or you must have
been delegated the appropriate authority. As a security best
practice, consider using Run as to perform this procedure.
For more information, search for "using run as" in Help and
Support.
- For an external trust, if you select
Selective authentication, you must enable permissions
manually on the local domain and on the resource to which you want
users in the external domain to have access.
- For a forest trust, if you select
Selective authentication, you must enable permissions
manually on each domain and resource in the local forest to which
you want users in the second forest to have access.
- You can use selective authentication only on
external trusts and forest trusts.