none
Group Policy processing with an Outgoing Trust

    Question

  • Hello,

    I have Forest A and Forest B.  If Forest B has an outgoing Trust (one-way) to Forest A, and a user account authenticates to Forest A while on a Forest B server (Forest A user account included in local admin group of Forest B server), does Group Policy from Forest A 'process' or 'follow' the user account on Forest B?  I don't think so cause don't we specifically have to enable 'Cross Forest Group Policy Processing' for this to occur?


    Thanks for your help! SdeDot

    Wednesday, April 29, 2015 10:12 AM

Answers

  • User's policy can be applied when a user logs on to workstation in another forest. Activate cross-forest policy processing by enabling "ComputerConfiguration\Administrative Templates\System\Group Policy\Allow
    Cross-Forest User Policy and Roaming Profiles" policy for machine. Then make sure that workstation can access domain controllers in user's domain. It might also be a good idea to go through user policy and make sure all path references use fqdn.

    Gleb.

    • Marked as answer by SdeDot Wednesday, April 29, 2015 12:36 PM
    Wednesday, April 29, 2015 10:42 AM
  • > admin group of Forest B server), does Group Policy from Forest A
    > 'process' or 'follow' the user account on Forest B?  I don't think so
    > cause don't we specifically have to enable 'Cross Forest Group Policy
    > Processing' for this to occur?
     
    Unless you enable cross forest GPO processing, it will not follow, but
    switch to Loopback "replace" mode instead.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    • Marked as answer by SdeDot Wednesday, April 29, 2015 12:36 PM
    Wednesday, April 29, 2015 10:55 AM

All replies

  • User's policy can be applied when a user logs on to workstation in another forest. Activate cross-forest policy processing by enabling "ComputerConfiguration\Administrative Templates\System\Group Policy\Allow
    Cross-Forest User Policy and Roaming Profiles" policy for machine. Then make sure that workstation can access domain controllers in user's domain. It might also be a good idea to go through user policy and make sure all path references use fqdn.

    Gleb.

    • Marked as answer by SdeDot Wednesday, April 29, 2015 12:36 PM
    Wednesday, April 29, 2015 10:42 AM
  • > admin group of Forest B server), does Group Policy from Forest A
    > 'process' or 'follow' the user account on Forest B?  I don't think so
    > cause don't we specifically have to enable 'Cross Forest Group Policy
    > Processing' for this to occur?
     
    Unless you enable cross forest GPO processing, it will not follow, but
    switch to Loopback "replace" mode instead.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    • Marked as answer by SdeDot Wednesday, April 29, 2015 12:36 PM
    Wednesday, April 29, 2015 10:55 AM
  • Thanks for the responses guys.

    Thanks for your help! SdeDot

    Wednesday, April 29, 2015 12:36 PM