Using this parameter with other prevalidation parameters

If you do not specify any groups for this parameter, then no group accounts are prevalidated to access the local computer. If you specify either the adclient.prevalidate.allow.users or adclient.prevalidate.allow.groups parameters, only those users and groups are prevalidated, with the exception of any users or groups specified by adclient.prevalidate.deny.users and adclient.prevalidate.deny.groups parameters. For example, to allow all users in the admins group to be prevalidated, except the users who are also members of the outsource group, you could set the adclient.prevalidate.allow.groups and adclient.prevalidate.deny.groups parameters like this:

adclient.prevalidate.allow.groups: admins
adclient.prevalidate.deny.groups: outsource

To allow prevalidation for all users in the zone without any exceptions, you can set the adclient.prevalidate.allow.groups parameter to all@zone. For example:

adclient.prevalidate.allow.groups: all@zone

For users or groups of users to be prevalidated, their accounts must be active accounts with permission to log on to the local computer and have a service principal name (SPN) set in the form of:


Where preval is the service name specified by the adclient.prevalidate.service parameter and username is the user logon name, which can be either of the following:

  • the name part of the user's UPN, if the domain part matches the user's domain
  • samAccountName, if the UPN is empty or the UPN's domain part is different from the user's domain