Share via


Select the Scope of Authentication for Users

Applies To: Windows Server 2008

You can use Active Directory Domains and Trusts to specify the scope of authentication for users that are authenticating through external trusts or forest trusts.

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To select the scope of authentication using the Windows interface

  1. Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts, click Start, click Administrative Tools, and then click Active Directory Domains and Trusts.

  2. In the console tree, right-click the domain node for the domain that you want to administer, and then click Properties.

  3. On the Trusts tab, under either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts), do one of the following:

    • To select the scope of authentication for users that are authenticating through an external trust, click the external trust that you want to administer, and then click Properties. On the Authentication tab, click either Domain-wide authentication or Selective authentication.

    • To select the scope of authentication for users that are authenticating through a forest trust, click the forest trust that you want to administer, and then click Properties. On the Authentication tab, click either Forest-wide authentication or Selective authentication.

Additional considerations

  • To perform this procedure, you must be a member of the Domain Admins group or Enterprise Admins group in Active Directory Domain Services (AD DS), or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, search for "using run as" in Help and Support.

  • For an external trust, if you select Selective authentication, you must enable permissions manually on the local domain and on the resource to which you want users in the external domain to have access.

  • For a forest trust, if you select Selective authentication, you must enable permissions manually on each domain and resource in the local forest to which you want users in the second forest to have access.

  • You can use selective authentication only on external trusts and forest trusts.

Additional references