Solved

External Trust - Group Policy not being applied on Windows 2003 Terminal Server for User in seperate domain?

Posted on 2010-09-02
3
2,365 Views
Last Modified: 2013-12-04
I'm trying to use Folder Redirection on a Terminal Server for Users from another domain connected by an external trust.

Network configuration:

- 2 Windows 2003 domains, Domain A and Domain B
- External (non-transitive) trust with selective authentication configured between domains
- Domain A trusts Domain B
- Domain B does NOT trust Domain A
- Windows 2003 Terminal Server exists in Domain A (trusting domain)
- Folder Redirection is used on Terminal Server to redirect 'Start Menu' and 'Desktop' for Users,
depending on what Security Group they are a member of. Folder redirection works fine for all
users in Domain A.
- User1 in Domain B (trusted domain) can successfully login to Terminal Server in Domain A (trusting domain), but Group Policy processing fails to apply, therefore Folder Redirection fails and User has access to all default programs instead of only those specified by the Folder Redirection.

Error messages in  Application Log of Terminal Server when User1 logs in -
SOURCE: Userenv  EventID: 1109
CN=user1,CN=Users,DC=DomainB from a different forest logged onto this machine. Cross Forest Group Policy processing is disabled and loopback processing has been enforced in this forest for this user account.

SOURCE: Userenv  EventID: 1055
Windows cannot determine the computer name (Access is denied). Group Policy processing aborted.

Additional Information:
- User1 (Domain B) has been added to a Domain Local Security Group in Domain A which applies the Folder Redirection settings specified in a GPO applied to the OU where the Terminal Server resides in Domain A.
- Loopback processing is enabled for the mentioned GPO so User Configuration is mapped to anyone logging onto the Terminal Server. I don't need the User Policy from Domain B applied to the User at all, so the first error message (EventID: 1109) shouldn't matter.

I have everything configured and working correctly except the GPO that applies Folder Redirection for User1. Since the Terminal Server does not recognize the PC that User1 is using to login to the Terminal Server, Group Policy processing is aborted for that user.

Anyone have any ideas as to why loopback processing isn't working correctly, even though my Application Logs says that's the way it’s working?

0
Comment
Question by:jthomas27
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 17

Expert Comment

by:Spike99
ID: 33589231
Is cross forest group policy processing enabled in the GPO?

Here's a  page I found about that:
http://www.boyce.us/gp/gpcontent.asp?ID=75

Alicia
0
 

Author Comment

by:jthomas27
ID: 33589371
No, I haven't enabled cross forest group policy processing since I don't need the User Configuration of User1 (Domain B) to be applied. I want the User Configuration setting on the GPO being applied to the Terminal Server to apply, which shouldn't be affected by the cross forest setting.

By NOT enabling cross forest group policy processing, I would expect it to work the way I want it to, which would be to apply the User Configuration of the GPO in Domain A to User1 in Domain B.

As a side note, I did apply that policy to see if it made any difference, which it didn't.  

Thanks
0
 

Accepted Solution

by:
jthomas27 earned 0 total points
ID: 33646996
No solution found. I believe the problem is due to the trust being a one-way domain to domain with selective authentication instead of a 2 way trust, but I can't verify.

My solution was to just create a seperate Terminal Server for the Remote Domain Users and only allow them access that that particular sever, which has nothing on it but the application they require access to.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question