Forest.GetSelectiveAuthenticationStatus(String) Method


Gets a Boolean value that indicates whether selective authentication is enabled on the inbound trust relationship with the specified forest. true if selective authentication is enabled; otherwise, false.

 bool GetSelectiveAuthenticationStatus(System::String ^ targetForestName);
public bool GetSelectiveAuthenticationStatus (string targetForestName);
member this.GetSelectiveAuthenticationStatus : string -> bool
Public Function GetSelectiveAuthenticationStatus (targetForestName As String) As Boolean



The DNS name of the Forest with which the inbound trust relationship exists.


true if selective authentication is enabled; otherwise, false.


There is no trust relationship with the Forest that is specified by targetForestName.

The call to LsaQueryTrustedDomainInfoByName failed. For more information, see LsaQueryTrustedDomainInfoByName.

The target server is either busy or unavailable.

targetForestName is an empty string.

targetForestName is null.

The current object has been disposed.

The specified account does not have permission to perform this operation.


For a forest trust, if you opt for selective authentication, permissions must be manually enabled on each domain and resource in the local forest to which you want users in the other forest to have access.

When a user authenticates across a trust for which selective authentication is enabled, an Other Organization security ID (SID) is added to the user's authorization data. The presence of this SID prompts a check on the resource domain to ensure that the user is allowed to authenticate to the particular service. After the user is authenticated, the server that authenticates the user adds the This Organization SID if the Other Organization SID is not already present. Only one of these special SIDs can be present in an authenticated user's context.

Applies to

See also