Crossroads305
asked on
Map Drive to cross-domain users using GPP
I have users who log into another domain using Citrix, but they log in with their standard domain credentials using a trust. I am trying to use GPP to Map drives, however it will not map the drives to the users. I have added the users to a domain local security group from the other domain which has a two way forest trust. According to everything I find online this is how it should be done but it's not working. I add users from the domain they're logging into to the OU and it maps the drive fine. Did MS change how this is handled? can I no longer do it this way. I'm only finding threads that date back to 2013 at the latest on this and everyone seems to have gotten it to work by doing what I described. Any clues on what would be causing it? if I do a GPresult I see no GPOs being applied to those users in the security groups.
The domain I'm attempting this on is all Windows server 2012r2 and consists of 1 DC and 1 RDS
The domain I'm attempting this on is all Windows server 2012r2 and consists of 1 DC and 1 RDS
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I enabled loop back processing, set to replace, the Security Filter is "Authenticated Users" I tried adding the specific users and the group I added the users to security context. When I run the GP result it doesn't even see my group policy for the user so it says it only applied local group policy.
Capture.PNG
Capture.PNG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm trying to figure out how to Map the drive through Citrix but I don't see an option only for pass-through already mapped drives.
however I tried the computer loop back in the same GPO/GPP and have it set to replace with still no luck, but I did find some things about MS patching the security context filtering and GPO/GPP will only apply to "authenticated users" and "authenticated computers" and not individual users or computers with out those two groups having at minimum "read" to fix a security vulnerability and then I learned that apparently cross-domain authenticated users are not considered "authenticated users" to the domain that they log into so the GPO won't apply.
So I'm at a slight loss from what I am to do because my cross-domain users are not considered "authenticated users" from the domain they're on.
I have enabled (another thread said allow cross-forest was needed):
Allow cross-forest user policy and roaming user profiles
Configure user Group Policy loopback processing mode
Still doesn't work. It just does not see the user policy.
however I tried the computer loop back in the same GPO/GPP and have it set to replace with still no luck, but I did find some things about MS patching the security context filtering and GPO/GPP will only apply to "authenticated users" and "authenticated computers" and not individual users or computers with out those two groups having at minimum "read" to fix a security vulnerability and then I learned that apparently cross-domain authenticated users are not considered "authenticated users" to the domain that they log into so the GPO won't apply.
So I'm at a slight loss from what I am to do because my cross-domain users are not considered "authenticated users" from the domain they're on.
I have enabled (another thread said allow cross-forest was needed):
Allow cross-forest user policy and roaming user profiles
Configure user Group Policy loopback processing mode
Still doesn't work. It just does not see the user policy.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So now in an attempt to recreate the not working to show my co-workers what I did, everything seems to be working fine. I am no longer able to get it to not work. I'm a little dumbfounded and confused but it works and I guess that's what really matters.
ASKER
Thanks for all the help, you pointed me in the right direction and have got my solution. Thanks you.
ASKER