Configuring Selective Authentication Settings

Grant the Allowed to Authenticate permission on computers in the trusting domain or forest

Updated: March 02, 2005

For users in a trusted Windows Server 2003 domain or forest to be able to access resources in a trusting Windows Server 2003 domain or forest, where the trust authentication setting has been set to selective authentication, each user must be explicitly granted the Allowed to Authenticate permission on the security descriptor of the computer objects (resource computers) that reside in the trusting domain or forest. For more information about how the Allowed to Authenticate permission works, see "Security Considerations for Trusts" in the Windows Server 2003 Technical Reference on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=35413).

Note:

The Allowed to Authenticate permission can be set on computer objects that represent member servers running Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003.

Note:

By default, only members of the Account Operators, Administrators, Domain Admins, Enterprise Admins, and SYSTEM security groups that are located in the trusting domain can modify the Allowed to Authenticate permission.

To enable access to resources over an external trust or forest trust that is set to selective authentication, complete the following procedure by using Active Directory Users and Computers from the trusting domain.

Administrative credentials

To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory.

To grant the Allowed to Authenticate permission on computers in the trusting domain or forest

Using the Windows interface

1.

Open Active Directory Users and Computers.

2.

In the console tree, click the Computers container or the container where your computer objects reside.

3.

Right-click the computer object that you want users in the trusted domain or forest to access, and then click Properties.

4.

On the Security tab, do one of the following:

In Group or user names, click the user names or group names for which you want to grant access to this computer, select the Allow check box next to the Allowed to Authenticate permission, and then click OK.

Click Add. In Enter the object names to select, type the name of the user object or group object for which you want to grant access to this resource computer, and then click OK. Select the Allow check box next to the Allowed to Authenticate permission, and then click OK.