+ Post New Thread
Results 1 to 14 of 14
Windows Server 2000/2003 Thread, Cross domain group policy processing in Technical; We have 3 domains in our AD forest with users in all 3 domains that logon to computers which are ...
  1. #1

    Join Date
    Apr 2007
    Location
    Croydon
    Posts
    493
    Thank Post
    18
    Thanked 29 Times in 28 Posts
    Rep Power
    20

    Question Cross domain group policy processing

    We have 3 domains in our AD forest with users in all 3 domains that logon to computers which are in one domain. In one of the domains a user will log on get all their user settings applied by group policy but doesn't appear to get the offline files GP settings I have setup and as a result the 'Make Available Offine' context menu doesn't appear.

    If I log onto the machine using an account that is in the same domain as the computer account, all the settings are applied as you would expect.

    When I run both rsop.msc and gpresult the GPOs show as being applied.

    There is nothing ovbious in the events logs.

    Any ideas?

  2. #2
    AIT
    AIT is offline
    AIT's Avatar
    Join Date
    Dec 2009
    Location
    Nottingham
    Posts
    369
    Thank Post
    46
    Thanked 32 Times in 30 Posts
    Rep Power
    18
    Quote Originally Posted by adamf View Post
    We have 3 domains in our AD forest with users in all 3 domains that logon to computers which are in one domain. In one of the domains a user will log on get all their user settings applied by group policy but doesn't appear to get the offline files GP settings I have setup and as a result the 'Make Available Offine' context menu doesn't appear.

    If I log onto the machine using an account that is in the same domain as the computer account, all the settings are applied as you would expect.

    When I run both rsop.msc and gpresult the GPOs show as being applied.

    There is nothing ovbious in the events logs.

    Any ideas?
    Could you explain in abit more detail you setup and what you are trying to achieve. As i have read your post through several times cant quite understand what the problem is.

    are you syaing users from the same domain log on and everythings fine and others have problems or only one domain is working?

  3. #3


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,208
    Thank Post
    218
    Thanked 812 Times in 694 Posts
    Rep Power
    274
    presumably you have a tree like this

    school.local
    |
    -----------------------------------------------------------------------------------
    |~~~~~~~~~~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~|
    dom1.school.local~~~~~~~~~dom2.school.local ~~~~~~dom3.school.local

    and if user 1 in dom1.local logs in to a dom1.school.local pc it works fine but if user1.dom1.school.local logs in on a dom2 pc they dont get offline content?

    sorry about the ~ but it keeps thinks lined up spaces just dissapear

  4. #4
    AIT
    AIT is offline
    AIT's Avatar
    Join Date
    Dec 2009
    Location
    Nottingham
    Posts
    369
    Thank Post
    46
    Thanked 32 Times in 30 Posts
    Rep Power
    18
    Quote Originally Posted by sted View Post
    presumably you have a tree like this

    school.local
    |
    -----------------------------------------------------------------------------------
    |~~~~~~~~~~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~|
    dom1.school.local~~~~~~~~~dom2.school.local ~~~~~~dom3.school.local

    and if user 1 in dom1.local logs in to a dom1.school.local pc it works fine but if user1.dom1.school.local logs in on a dom2 pc they dont get offline content?

    sorry about the ~ but it keeps thinks lined up spaces just dissapear
    The next question would be is it the single group policy or the entire policy. Is security replicating?

  5. #5

    Join Date
    Apr 2007
    Location
    Croydon
    Posts
    493
    Thank Post
    18
    Thanked 29 Times in 28 Posts
    Rep Power
    20
    The forest looks like this:

    --------------------------------------domainA.local---------------------------------------------
    -----------------------------------------------------------------------------------------------
    -----------------------------------------------------------------------------------------------
    ---domainB.domainA.local--------------------------------------------------domainC.domainA.local


    domainB and C are child domains of A with the relevant trusts.


    The user account (and user policy) exists in domainA the computer account (and computer policy) exist in domainB

    When the user logs onto domainA the user settings apply fine, but computer policies (from domainB) don't - in particular offline files (I don't get the "Make Available Offline" context). If a user in domainB logs onto the same machine it works.

    It's all the computer policies that are not being applied. But as the computer policy is applied before logon occurs what I can't understand is why it doesn't work for users domainA.local - at the time the computer policy is applied it doesn't know what user from what domain is going to logon.

  6. #6
    AIT
    AIT is offline
    AIT's Avatar
    Join Date
    Dec 2009
    Location
    Nottingham
    Posts
    369
    Thank Post
    46
    Thanked 32 Times in 30 Posts
    Rep Power
    18
    I know you are working at domain level rather than forest level. but without going into details of how you have set the trusts up etc. (you are correct in saying it should work)

    just out of interest have you enabled this:
    ComputerConfiguration\Administrative Templates\System\Group Policy\Allow
    Cross-Forest User Policy and Roaming Profiles.

    also do an rsop so we can see whats being applied or whats not. event viewer?

  7. #7

    Join Date
    Apr 2007
    Location
    Croydon
    Posts
    493
    Thank Post
    18
    Thanked 29 Times in 28 Posts
    Rep Power
    20
    I haven't tried Allow Cross-Forest User Policy and Roaming Profiles because after reading it I thought it wasn't applicable. I'll enable that and give it a go.

    Trust etc... are the ones setup automatically when you create a child domain.

    I did both a gpresult and a rsop and they both suggest that the policies are applying.

    Nothing in the events logs thats ovbious.
    Last edited by adamf; 10th December 2009 at 07:46 AM.

  8. #8

    Join Date
    Apr 2007
    Location
    Croydon
    Posts
    493
    Thank Post
    18
    Thanked 29 Times in 28 Posts
    Rep Power
    20
    I've enabled Allow Cross-Forest User Policy and Roaming Profiles and it's made no difference.

  9. #9
    AIT
    AIT is offline
    AIT's Avatar
    Join Date
    Dec 2009
    Location
    Nottingham
    Posts
    369
    Thank Post
    46
    Thanked 32 Times in 30 Posts
    Rep Power
    18
    Quote Originally Posted by adamf View Post
    I've enabled Allow Cross-Forest User Policy and Roaming Profiles and it's made no difference.
    This might sound a silly question but are you using profiles?

  10. #10

    Join Date
    Apr 2007
    Location
    Croydon
    Posts
    493
    Thank Post
    18
    Thanked 29 Times in 28 Posts
    Rep Power
    20
    Yer. Roaming Profiles.

  11. #11
    AIT
    AIT is offline
    AIT's Avatar
    Join Date
    Dec 2009
    Location
    Nottingham
    Posts
    369
    Thank Post
    46
    Thanked 32 Times in 30 Posts
    Rep Power
    18
    Quote Originally Posted by adamf View Post
    Yer. Roaming Profiles.
    Could i just make a suggestion of removing the profile form a user and trying that..

    i have come across mandatory profiles causing a similar issue.. Worth a try.

  12. #12

    Join Date
    Apr 2007
    Location
    Croydon
    Posts
    493
    Thank Post
    18
    Thanked 29 Times in 28 Posts
    Rep Power
    20
    I've removed the profile entry in AD, logged on and it's made no difference.

  13. #13
    AIT
    AIT is offline
    AIT's Avatar
    Join Date
    Dec 2009
    Location
    Nottingham
    Posts
    369
    Thank Post
    46
    Thanked 32 Times in 30 Posts
    Rep Power
    18
    Ok next thought:

    on the computer ou:

    Computer Configuration.
    Locate Administrative Templates, click System, click Group Policy, and then enable the Loopback Policy option.

    This setting alows any user policy to be applied to the specific computer policy...
    Last edited by AIT; 10th December 2009 at 10:11 AM.

  14. #14

    Join Date
    Apr 2007
    Location
    Croydon
    Posts
    493
    Thank Post
    18
    Thanked 29 Times in 28 Posts
    Rep Power
    20
    I don't really want to go down the loopback policy route becuase then it will start applying user settings based on the location of the computer object.

SHARE:
+ Post New Thread

Similar Threads

  1. Cross Domain
    By Wolfman in forum How do you do....it?
    Replies: 4
    Last Post: 16th October 2009, 05:13 PM
  2. Cross Domain
    By Wolfman in forum Windows Server 2000/2003
    Replies: 2
    Last Post: 15th October 2009, 10:31 AM
  3. Domain trusts.. can logon but no group policy applied
    By spacehopper in forum How do you do....it?
    Replies: 2
    Last Post: 9th October 2009, 01:10 PM
  4. The Processing of Group Policy Failed! - At a loss!
    By MrHoff in forum Windows Server 2008
    Replies: 0
    Last Post: 26th August 2009, 11:55 AM
  5. cross domain permissions
    By galloshes in forum Windows
    Replies: 1
    Last Post: 27th March 2008, 02:06 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •