Selective Authentication Between AD Forests

Friday, October 28, 2011

Using the Microsoft Management Console (MMC) load the snap-in for Active Directory Domains and Trusts. You can then set the scope of authentication between two forests that are joined by a forest trust. The scope can be set differently for outgoing and incoming forest trusts depending on your needs.

If you use forest-wide authentication on an incoming forest trust, users from the outside forest have the same level of access to resources in the local forest as users who belong to the local forest. For example, if Forest1 has an incoming forest trust from Forest2 and forest-wide authentication is used, users from Forest2 would be able to access any resource in Forest1, of course assuming they have the necessary permissions. You may not want users from the outside domain having this type of access.

If you decide to set selective authentication on an incoming forest trust, you need to manually assign permissions on each computer in the domain as well as the resources to which you want users in the second forest to have access. To do this, modify the Access Control List (ACL) on the computer object and add an Access Control Entry (ACE) for the permission "Allowed to authenticate" on the computer object that hosts the resource in the second forest (in Active Directory Users and Computers). Then, allow user or group access to the particular resources you want to share (shared folder, printer, etc..).

Did you find the page informational and useful? Share it using one of your favorite social sites.

Recommended Books & Training Resources

MCITP Windows Server 2008 Enterprise Administrator: Training Kit 4-Pack: Exams 70-640 70-642 70-643 70-647 Windows Server 2008 R2 Unleashed