Cross domain group policy processing

[adamf]

We have 3 domains in our AD forest with users in all 3 domains that logon to computers which are in one domain. In one of the domains a user will log on get all their user settings applied by group policy but doesn't appear to get the offline files GP settings I have setup and as a result the 'Make Available Offine' context menu doesn't appear.

If I log onto the machine using an account that is in the same domain as the computer account, all the settings are applied as you would expect.

When I run both rsop.msc and gpresult the GPOs show as being applied.

There is nothing ovbious in the events logs.

Any ideas?

[AIT]

We have 3 domains in our AD forest with users in all 3 domains that logon to computers which are in one domain. In one of the domains a user will log on get all their user settings applied by group policy but doesn't appear to get the offline files GP settings I have setup and as a result the 'Make Available Offine' context menu doesn't appear.

If I log onto the machine using an account that is in the same domain as the computer account, all the settings are applied as you would expect.

When I run both rsop.msc and gpresult the GPOs show as being applied.

There is nothing ovbious in the events logs.

Any ideas?

Could you explain in abit more detail you setup and what you are trying to achieve. As i have read your post through several times cant quite understand what the problem is.

are you syaing users from the same domain log on and everythings fine and others have problems or only one domain is working?

[sted]

presumably you have a tree like this

school.local
|
-----------------------------------------------------------------------------------
|~~~~~~~~~~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~|
dom1.school.local~~~~~~~~~dom2.school.local ~~~~~~dom3.school.local

and if user 1 in dom1.local logs in to a dom1.school.local pc it works fine but if user1.dom1.school.local logs in on a dom2 pc they dont get offline content?

sorry about the ~ but it keeps thinks lined up spaces just dissapear

[AIT]

presumably you have a tree like this

school.local
|
-----------------------------------------------------------------------------------
|~~~~~~~~~~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~|
dom1.school.local~~~~~~~~~dom2.school.local ~~~~~~dom3.school.local

and if user 1 in dom1.local logs in to a dom1.school.local pc it works fine but if user1.dom1.school.local logs in on a dom2 pc they dont get offline content?

sorry about the ~ but it keeps thinks lined up spaces just dissapear

The next question would be is it the single group policy or the entire policy. Is security replicating?

[adamf]

The forest looks like this:

--------------------------------------domainA.local---------------------------------------------
-----------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------
---domainB.domainA.local--------------------------------------------------domainC.domainA.local


domainB and C are child domains of A with the relevant trusts.


The user account (and user policy) exists in domainA the computer account (and computer policy) exist in domainB

When the user logs onto domainA the user settings apply fine, but computer policies (from domainB) don't - in particular offline files (I don't get the "Make Available Offline" context). If a user in domainB logs onto the same machine it works.

It's all the computer policies that are not being applied. But as the computer policy is applied before logon occurs what I can't understand is why it doesn't work for users domainA.local - at the time the computer policy is applied it doesn't know what user from what domain is going to logon.

[AIT]

I know you are working at domain level rather than forest level. but without going into details of how you have set the trusts up etc. (you are correct in saying it should work)

just out of interest have you enabled this:
ComputerConfiguration\Administrative Templates\System\Group Policy\Allow
Cross-Forest User Policy and Roaming Profiles.

also do an rsop so we can see whats being applied or whats not. event viewer?

[adamf]

I haven't tried Allow Cross-Forest User Policy and Roaming Profiles because after reading it I thought it wasn't applicable. I'll enable that and give it a go.

Trust etc... are the ones setup automatically when you create a child domain.

I did both a gpresult and a rsop and they both suggest that the policies are applying.

Nothing in the events logs thats ovbious.

[adamf]

I've enabled Allow Cross-Forest User Policy and Roaming Profiles and it's made no difference.

[AIT]

I've enabled Allow Cross-Forest User Policy and Roaming Profiles and it's made no difference.

This might sound a silly question but are you using profiles?

[adamf]

Yer. Roaming Profiles.

[AIT]

Yer. Roaming Profiles.

Could i just make a suggestion of removing the profile form a user and trying that..

i have come across mandatory profiles causing a similar issue.. Worth a try.

[adamf]

I've removed the profile entry in AD, logged on and it's made no difference.

[AIT]

Ok next thought:

on the computer ou:

Computer Configuration.
Locate Administrative Templates, click System, click Group Policy, and then enable the Loopback Policy option.

This setting alows any user policy to be applied to the specific computer policy...

[adamf]

I don't really want to go down the loopback policy route becuase then it will start applying user settings based on the location of the computer object.