Cross Forest Group Policy Management

Question

Started at a new position recently. This company has 8 Forests and tree/child domains in the Forests. Each Forest and domain has a one-way trust with the Production Forest.

I have create accounts in the Production Forest, created a UG with the accounts and added the UG to each Forest/Domain Built In Administrator group. This works, I can logon using these accounts to each Forest and Domain.

What I would like to do is manage Group Policy with these accounts. I have tested delegating permissions to UG, when I open GPMC I cannot see any of the settings to the GPO's I have delegated permissions to. I can see in the Security Tab of the GPO in the SYSVOL folder that the permissions are applied.

Is this a function of GPMC that I cannot do cross forest Group Policy Management? Or has anyone been able to do this?

Answer 1

Hi,
Based on my understanding , all the forests have a one way trust to the production forest . The production forest is the trusted forest ,right?
From what i knowing , cross forest Group Policy Management can be done successfully if you assign the permission successfully.

For your situation , if you trust is correctly, the users from the trusted forest can logon to the workstation in the trusting forest no matter the users are added to the administrators group in the trusting forest or not. But if you want the users to logon to the DCs in the trusting forest , you need to add the users to the administrator group or management it through the group policy :allow logon locally on the DCs.

For the Group policy management , if you want to assign the permissions ,logon to the GMPC server in the trusting forest with domain admins , and assign permissions in as following:


Delegate creation of Group Policy objects using GPMC
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc739363(v=ws.10)?redirectedfrom=MSDN#BKMK_Addgroup