none
User Group Policy Update Cross-Domain-Trust RRS feed

  • Frage

  • We have the following infrastructure:

    1x customer-domain.local
    1x separate domain.local

    These two domains are connected via a trust.

    user1@customer-domain.local is the user account on the customer DC

    USER policies are defined on the separate DC.
    On the domain PC, which is a member of the separate domain, user1 logs in.

    The Loin goes to the separate DC and this forwards the request to the customer DC. (red arrow)

    user 1 is logged in --> OK

    The Group Policy defined on the Separate DC for the user user1 is not pulled because:
    With GPUPDATE the domain PC wants to establish a direct connection to the customer DC (LDAP). (Purple arrow). This
    is not allowed, however, as this must be routed through 3 firewalls and a direct connection to the customer DC is open.

    Why does the GPUPDATE not go via the Separate DC and then on to the Customer DC? The login to
    the Windows works, only the GPUPDATE does not.
    Mittwoch, 28. Oktober 2020 19:21

Alle Antworten

  • Why does the GPUPDATE not go via the Separate DC and then on to the Customer DC? The login to
    the Windows works, only the GPUPDATE does not.

    Because a trust is only about authentication, not about retrieving information about the objects in AD or other things like policies.

    And user policies cannot be defined in a foreign domain other than via loopback, in which case they not really user policies anymore but rather computer policies with a user part.


    Evgenij Smirnov

    http://evgenij.smirnov.de

    Mittwoch, 28. Oktober 2020 20:28
  • Hallo Evgenij

    In einem Testaufbau habe ich die Infrastruktur so aufgebaut. Wird die Verbindung vom Domain-PC zum customer-dc geöffnet, werden die Benutzerpolicies gezogen.

    Gibt es hierbei keine Alternative? Kann man auf dem separate-dc keine LDAP Weiterleitung oder Ähnliches einrichten?

    Freitag, 30. Oktober 2020 08:14
  • Moin,

    naja, nach LDAP kommt ja auch noch SMB, um die GPOs aus der SYSVOL-Share tatsächlich herunterzuladen ;-)

    Alternative wäre, Du baust die User Policies als Loopback-Policies in der Domäne, wo die Maschine steht, nach.


    Evgenij Smirnov

    http://evgenij.smirnov.de

    Freitag, 30. Oktober 2020 08:53