Domain Trust with Selective Permissions - Object permission Allowed to Authentiicate applied by OU?

http://technet.microsoft.com/en-us/library/cc738653(v=ws.10).aspx

Referencing the page above: My goal is to have all computers in the domain allow authentication from the object I am adding. In other words: •Click Add. In Enter the object names to select, type the name of the user object or group object for which you want to grant access to this resource computer, and then click OK. Select the Allow check box next to the Allowed to Authenticate permission, and then click OK.

I want to be able to add that to multiple machines at once (all in the OU, or even globally) and have "Allowed to Authenticate" be the only permission for the group object. I have been unable to locate an answer on this, or if it's even possible.

Thanks!


You can apply the "Allowed to authenticate" permission to a OU, by configuring the permission to apply to all descendant computer objects; this will assign the permission to all computers in the OU.

Right-click on the OU, select Properties, then Security, then click on "Advanced".
Click "Add", or select an existing account and click "Edit".
In the "Applies to:" field, select "Descendant Computer objects". (*)
Enable the permission "Allowed to authenticate".

(*) This will change the contents of the window to show computer-specific permissions; otherwise "Allowed to authenticate" will not be shown in the list, because it can only be applied to computer objects.

enter image description here