Parrent and Child GPOs

[Jesper]

Hi
I have set up a rootDC called rootDC.dk and two child DC's called
child1.rootDC.dk and child2.rootDC.dk. All my users are placed on the
parrent DC. Is it possible to make a GPO for the global user that depends on
wheather the users logs on in child1 or child2 domain ? One of the child
domains need elevated installer rights (msi) for it's users, the other
doesn't.

Regards
Jesper

 

[Chriss3]

Jesper, You can set a policy based on each domain if you want. Users in
child1 are not possible to login to child2 or root domain, and the other way
around. The account must exist in each domain.

If you want to create a GPO for all domains that doesn't matter what domain
the particular user are in, You can Link a GPO to an Site Object.

 

[Jesper]

Hi Chriss

Jesper, You can set a policy based on each domain if you want. Users in
child1 are not possible to login to child2 or root domain, and the other way
around. The account must exist in each domain.

But if I create a policy for child1 domain, will this policy affect the user
when hi/she is from the parrent domain (when the user authenticates againts
the rootDC.dk domain) ?

 

[Jesper]

My theory was that I could create a security group (local group Sgrp) on
each child and add the parrent users to Sgrp. Then put Sgrp in an OU and add
a GPO to that OU where the security settings where set to "read" and "apply"
for Sgrp. Then when thes user logon in on of the child domains then Sgrp's
GPO is applied. Does this sound totally nuts ?

Regards
Jesper

 

[Jesper]

Let me rephase,
I create a local security group (local group Sgrp) on each child and add the
parrent users to Sgrp. Then I add a GPO on the OU, in the root domain, where
all the users are placed (the parent users). I filter the scope of the GPO
by applying read + apply security settings for the localsecurity group Sgrp,
from child1. Now, when on of the users from the parrent domain logon in
child1, the GPO is applied, but when he logon in child2 domain the GPO is
not applied since child2 doesn't know child1's security group.
I have tried this and it doesn't seem to work - but why not ?

Regards
Jesper

 

[Jesper]

Jesper, You can set a policy based on each domain if you want. Users in

child1 are not possible to login to child2 or root domain, and the other way
around. The account must exist in each domain.

Ok, but will this policy be applied to the parent users when they logon to a
computer in either of the child domains ?

If you want to create a GPO for all domains that doesn't matter what domain
the particular user are in, You can Link a GPO to an Site Object.

But how about creating 5 different GPOs that are aplied depending on where
the parent user logon ?

--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup

Regards
Jesper

 

[Chriss3]

inline

--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup

Ok, but will this policy be applied to the parent users when they logon to a
computer in either of the child domains ?


But how about creating 5 different GPOs that are aplied depending on where
the parent user logon ?

[Christoffer] I'm not sure what you mean, users can only logon to domains
them self belongs to.

 

[Jesper]

Hi Chris
The way I read your answer is:

I can either create/or link a GPO for a site (containing different computers
for ex. the computer running my root domain) or I can create/or link a GPO
for each DC (childs and root).

Neither of these to solutions would resolve my problem - that I want a user
(from the root domain) to have a GP depending on, in which domain he logs
on. The user will either get the GP from the site-object, that contains the
computer running the root domain, from the GP placed on the rootDC or from
the OU where the user is placed (in the rootDC).

Is this correctly understood ?


Regards
Jesper

 

[Chriss3]

Hi Jesper, a Site can contains computers from multiple domains in the
particular forest, both root and child in your case if you want. By link /
create a GPO at Site level the particular GPO will apply to all computers in
the particular Site. This site can contains computers in both domains.

 

[Jesper]

Hi Chriss

As I have understood the site structure - the GPOs applied to a certain site
will only affect the clients/servers in the site. If I made a user-GP and
applied this to a site containing a childDC, then the GP would have an
affect on all the users on the childDC (when they log on the computers in
the child-domain) - the GP would not affect users from the parent domain
(when they log on the computers in the child-domain).



Never the less, I have acknowledged my lack of understanding on Active
Directory and ordered an AD-consultant



Thanks for all your help Chriss you have been really helpful!



Regards

Jesper

 

[Jesper]

Hi Chriss
It seems as I you where right - the site-gpo might just do it

Thanks again for ALL your help!

Regards
Jesper

 

[Chriss3]

I'm glad I can help Jesper, an Site can contains computers from multiple
domains.