Using the Microsoft Management Console (MMC) load the snap-in for Active Directory Domains and Trusts. You can then set the scope of authentication between two forests that are joined by a forest trust.
The scope can be set differently for outgoing and incoming forest trusts depending on your needs.
If you use forest-wide authentication on an incoming forest trust, users from the outside forest have the same level of access to resources in the local forest as users who belong to the local forest.
For example, if Forest1 has an incoming forest trust from Forest2 and forest-wide authentication is used, users from Forest2 would be able to access any resource in Forest1, of course assuming they have the necessary
permissions. You may not want users from the outside domain having this type of access.
If you decide to set selective authentication on an incoming forest trust, you need to manually assign permissions on each computer in the domain as well as the resources to which you want users in the second
forest to have access. To do this, modify the Access Control List (ACL) on the computer object and add an Access Control Entry (ACE) for the permission "Allowed to authenticate" on the computer object that hosts the
resource in the second forest (in Active Directory Users and Computers). Then, allow user or group access to the particular resources you want to share (shared folder, printer, etc..).
Recommended Books & Training Resources