Security Filtering in Subdomains


  • Hi there,

    we have a multidomain forest with root and and subdomains. we create a bunch of gpos in the root domain and applied them to root and sub domains. we use security filtering as well so theres a domain local Group applied to the gpo, which includes universal groups from root and sub domains which includes computers from the domains.

    that works not in the subdomain. when we run gpresult /R is says, thats the machine is applied to the domain local group from the root domain but it also says, that the gpo could not be applied because of security filtering.

    whats also not working is to put computer accounts from the subdomain directlry to the domain local group of the root domain, which is used for security filtering.

    it works when we use a domain local group for example from the subdomain, which includes computers from the subdomain and attach this group directly to the security filtering of the gpo

    I just want to know if this is normal behavior and if there is a better way in multidomain environment. This should be somehow related to the scope of gpo security filtering and domain local group since this group usage (domain local from root with universal group from sub with users from sub in it) works perfectly for example when setting ntfs access rights.

    Thanks alot 

    jueves, 14 de junio de 2018 14:07

Todas las respuestas