A great question was raised whether the Kerberos authentication was most or least restrictive on rights and access. First a little background - Kerberos authentication in an Intel vPro world allows you to specify an NT user or group for authentication purposes, and to authorize them for Intel AMT realm access on the provisioning Intel vPro device.
What if a user is a member of two different groups, both of which are defined in the provisioning profile, with each group having different authorization to the Intel AMT realms? For example - GroupA can only remotely power a system, while GroupB can only place System Defense filters on a system. If User1 is a member of GroupA and GroupB - what resulting access does that user get?
The answer is "least restrictive" - in that the user has the combination of authorization from both GroupA and GroupB.
Interested to hear what the community has experienced. Keep the questions coming.