none
Managing group policy from a different forest

    Question

  • I have two domains set in the environment in two different locations. We want to use one Domain admin account and be able to manage both environments. What would be the best practice to assign the group (builtin administrator account) to the second forest to be able to manage all group policy objects? Currently we can manually add a builtin admin account from the 1st domain to Delegation section for each group policy object. Is that the recommended way? any way to allow full access to the whole forest?
    Tuesday, May 17, 2016 5:14 PM

Answers

All replies

  • Hi.
    As far as I know, group policy enable you to authenticate and authorize access to resources from separate, networked forests. With full trusts established between forests, you can manage Group Policy throughout Active Directory regardless of the forest.GPMC supports management of multiple forests from within the console, when there is trust between the target forest and the forest of your user object.
    Please see details from: https://technet.microsoft.com/en-us/library/cc781968(v=ws.10).aspx

    Regards,
    Wendy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 18, 2016 1:41 AM
    Moderator
  • Thank you Wendy,

    From environment B I can see the forest (on the env A)  as well as all the group policy objects. I can't edit them. I'm a member or builtin local administrator group (on A env.). I have noticed that I can add that local administrator group (delegation section) to each group policy object but I'm wondering if that's a smart/ recommended way to do.

    Tuesday, May 24, 2016 1:23 PM
  • Across a trust, you cannot be a member of the "remote" domain admins, so
    you must delegate anyway. It does not matter if you create a new group
    for that purpose or you add the existing administrators group to the
    required objects.
     
    Creating a new group would be best practice, anyway :)
     
    Tuesday, May 24, 2016 1:29 PM