group policy across mutliple domains

gdadmins used Ask the Experts™
We would like to apply group policy settings to users who are in one domain(domain1) and log into a computers on a different domain(domain2).  We set user policies on domain1 but these policies only take effect when the users log into computers that are part of domain1 and not when they log onto computers that are part of domain2. The gpos are targeting the ou that the users are in.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Are these domains in the same forest?

First of all it's not a good practice to link GPO's in Cross Domain scenario.
If you want to achieve this, please copy them into the domain1. This will not keep them in Sync, but you will get desired results.
To do this, simply drag & drop GPO from domain 1 group policy object to domain 2 group policy object. When you do this, you will be presented with wizard, however don't drag it into OU because when you do this, you are actually doing Cross Domain Linking.

Secondly, the domain structure is more of Logical rather than physical. So see it from this point of view, when the user logs on what is his Site, Domain & OU?  This is actually happening when your user is logging on, he is getting GPO from domain 1 which is his authentication domain1 & not domain2.

Also, if this is cross forest trust, then your computer is actually going to loopback replace mode (assuming your workstation is greater than XP SP2).

Please tell if something is not clear?


Enable the policy

Allow Cross-Forest User Policy and Roaming User Profiles policy

in domain2

Please be warned if you enable Firstly Cross Forest User Policy which is under:
Computer > Administrative Templates > System > Group Policy "Allow Cross Forest user policy and Roaming User Profiles"

the after effects of slow link & other things...

considering what policies you are having in your parent domain & what you want to get in the targeted domain, I would reccomend getting the desired GPO in the target domain as described earlier.



Enabled Cross-Forest User Policy in Domain 2.  GPOs set in Domain1 now apply to users in Domain1 that log into Domain2 computers.
Thank you.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial