none
Allowed to Authenticate setting to group of computers

    Question

  • We have setup a one-way trust relationship with selective authentication enabled between two forest domains. We now would like to allow selective users of the trusted domain to be able to authenticate to a selective number of computers in the trusting domain. But since we have a dedicated structure of OU's within that trusting domain, we don't like to put those selective computers in another OU where we could apply the "allowed to authenticate" permission to. Instead we would like to create a group of computers where this security setting could be applied to. Is this possible? Or is there another way to do it?
    Monday, March 6, 2017 2:51 PM

Answers

  • Not via graphical interface. You could potentially script it and apply it to individual computers by enumerating group members and iterating through them in a loop - but keep in mind that you would need to re-run the script whenever the group membership changes.

    For an example of a script, refer to https://gallery.technet.microsoft.com/scriptcenter/ee72f69b-f746-4667-8303-e546d24bf2e4 - although note that this deals with granting the Allowed to Authenticate right in a bit different scenario, so you would need to adjust it accordingly

    hth
    Marcin

    • Marked as answer by marcatesat Wednesday, March 8, 2017 11:56 AM
    Monday, March 6, 2017 3:07 PM

All replies

  • Not via graphical interface. You could potentially script it and apply it to individual computers by enumerating group members and iterating through them in a loop - but keep in mind that you would need to re-run the script whenever the group membership changes.

    For an example of a script, refer to https://gallery.technet.microsoft.com/scriptcenter/ee72f69b-f746-4667-8303-e546d24bf2e4 - although note that this deals with granting the Allowed to Authenticate right in a bit different scenario, so you would need to adjust it accordingly

    hth
    Marcin

    • Marked as answer by marcatesat Wednesday, March 8, 2017 11:56 AM
    Monday, March 6, 2017 3:07 PM
  • Hi,
    As Marcin said, it seems that there is no built-in method to do that, except for script which you could have a try and it may need to involve scripting skills, if you have requirement about scripting, you could post the question about scripting in the scripting forum:
    https://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG
    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Tuesday, March 7, 2017 5:45 AM
    Moderator
  • Thank you Marcin for your answer! I think I can work something out with that in mind.

    Wednesday, March 8, 2017 11:56 AM