Trusted Domains: GPO to apply when at other site

S

Stephen Henihan

We have two forests - one at either of two sites. There is a two way trust
betwen the sites, which appears to work well for the most part.
Users can visit between sites and log into their own domain by selecting it
from the list of domains at Windows logon.

The following is true for both sites:
Users are organised into their OUs as Staff and Students\Class.
Computers are organised into OUs based on Room\Classroom and Room\Staff.

Group Policy is used to set:
security and updates (and so on) on the computers
proxy settings, home drive, printer, etc. for the users

The link between the two sites is poor 128-256K (due to cursed ADSL).

However, when a user travels to the other site and logs in, none of their
user settings are applied from the GPO of their OU.

When a user signs in to the other site, the policy is (according to
GPResult) grabbed from their own site's domain controller.
The Computer Policy applied comes from the Computer's site
BUT no user policy is applied for the user from anywhere...

I would like users to have a site-local Group Policy so that they get local
printers and local proxy settings when logging into the other site.

Any suggestions? Have I made the situation clear enough?

Thanks
 
S

Steven L Umbach

The article in the first link below explains how to configure Group Policy
across trusted forests with some Group Policy settings. Also since your link
is unreliable you may be subject to slow link detection which can limit much
of what is applied though you can also modify those settings as explained in
the last two links. --- Steve

http://www.microsoft.com/technet/pr...elp/b44ba1b5-9f85-4bee-84c9-1994921658cd.mspx

Using Group Policy features across forests
The Windows Server 2003 family introduces a new feature called Forest Trust
that enables you to authenticate and authorize access to resources from
separate, networked forests. With trusts established between forests, you
can manage Group Policy throughout your enterprise, which provides greater
flexibility especially in large organizations. For more information on
forest trusts, see Forests in Group Policy Management Console.

This section describes Group Policy behavior in an environment with forest
trust enabled:

. It is not possible to link a GPO to a domain in another forest.

. With Forest trust, it is possible that a user in forest B could log
onto a computer in forest A. In this case, when the computer starts up, it
will process policy for the computer configuration from Forest A, as usual.
When a user from Forest B logs on, where they receive their policy settings
from depends on the value of the Allow Cross-Forest User Policy and Roaming
Profiles policy setting.

. When this setting is Not Configured, no user-based policy
settings are applied from the user's forest. Instead, loopback Group Policy
processing will be applied, using the Group Policy objects scoped to the
computer. Users will receive a local profile instead of their roaming
profile.

. When this setting is Enabled, the behavior is exactly the same
as Windows 2000 Server, User policy is applied from the user's forest and a
roaming user profile is allowed from the trusted forest.

. When this setting is Disabled, the behavior is the same as Not
Configured.


This setting is available on Windows Server 2003 located at: Computer
Configuration\Administrative Templates\System\Group Policy\Allow
Cross-Forest User Policy and Roaming Profiles.

. It is possible to deploy Group Policy settings to users and
computers in the same forest, but have those settings reference servers in
other trusted forests. For example, the shares that host software
distribution points, redirected folders, logon scripts, and roaming user
profiles could be in another trusted forest.

. Group Policy Modeling requires that both the user and the computer
be in the same forest. If you want to simulate a user from Forest A logging
on to a computer in Forest B, you must perform two separate Group Policy
Modeling simulations: one for the user configuration and the other for the
computer configuration.

. Delegation across forests is supported for managing Group Policy.
For example, you can delegate to someone in Forest B the ability to perform
Group Policy Modeling simulations on objects in Forest A.



http://support.microsoft.com/default.aspx?scid=kb;en-us;227260
http://support.microsoft.com/default.aspx?scid=kb;en-us;227369&sd=tech
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

"Site to Zone Assignment List" GPO = trusted site? 0
Trusted site settings, security zones GPO settings 2
Exclude Specific Computer from My Document Redirect 1
Best way to apply policy to all computers except servers 3
GPO settings are not applied 2
New GPO are failing 4
IE Proxy Setting using GPO 5
GPO IE Zone Mapping issue on TS 2

Top