Select the Scope of Authentication for Users

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

You can use the Active Directory Domains and Trusts snap-in to specify the scope of authentication for users that are authenticating through external trusts or forest trusts.

Membership in Domain Admins or Enterprise Admins , or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at https://go.microsoft.com/fwlink/?LinkId=83477.

To select the scope of authentication using the Windows interface

  1. Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts, click Start , click Administrative Tools , and then click Active Directory Domains and Trusts .

    To open Active Directory Domains and Trusts in Windows Server® 2012, click Start , type domain.msc .

  2. In the console tree, right-click the domain node for the domain that you want to administer, and then click Properties .

  3. On the Trusts tab, under either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts) , do one of the following:

    • To select the scope of authentication for users that are authenticating through an external trust, click the external trust that you want to administer, and then click Properties . On the Authentication tab, click either Domain-wide authentication or Selective authentication .

    • To select the scope of authentication for users that are authenticating through a forest trust, click the forest trust that you want to administer, and then click Properties . On the Authentication tab, click either Forest-wide authentication or Selective authentication .

Additional considerations

  • To perform this procedure, you must be a member of the Domain Admins group or Enterprise Admins group in Active Directory Domain Services (AD DS), or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, search for "using run as" in Help and Support.

  • For an external trust, if you select Selective authentication , you must enable permissions manually on the local domain and on the resource to which you want users in the external domain to have access.

  • For a forest trust, if you select Selective authentication , you must enable permissions manually on each domain and resource in the local forest to which you want users in the second forest to have access.

  • You can use selective authentication only on external trusts and forest trusts.

Additional references