Re: Can I permission a GPO to an univesal group ?

From: William P (WilliamP_at_discussions.microsoft.com)
Date: 03/14/05 

Date: Mon, 14 Mar 2005 00:01:01 -0800

George,

As long as there is a trust within the domains (assuming they are in the
same forest), you can add Users from different child domains to the Universal
group. The se

In the security filter of the GPO, check to make sure the READ and APPLY
GROUP POLICY are set to 'Allow' for your Universal group, otherwise the
Loopback won't apply. Also, make sure the computer itself is receiving the
policy by checking the secuirty filter to make sure the Computer Account is
in a group which also has READ and APPLY GROUP POLICY are set to 'Allow'.

Check your event log also for errors.

"George" wrote:

> William, please excuse me for not put the question complete.
> Actually , my question is I have a GPO ( for server lockdown) that link to
> an OU where I have a terminal server. This terminal server , while siting in
> our domain OU , will be access by differnt domain users within the same
> forest.
> Someone set the security filtering is to permission a universal group and
> seems like the GP does not apply to other domain users within that Universal
> group.
>
> Setting the Loopback Mode doesn't help to solve the problem as the main
> point is how can I enforce a GPO to a terminal server which will be accessed
> by user from different domain ?
>
> George
>
> "William P" <WilliamP@discussions.microsoft.com> wrote in message
> news:3FC69047-C83F-4769-AD58-43D68357AE45@microsoft.com...
> >I assume you mean modifying the security filter on a GPO to contain a
> > Universal group. Why not just create a Domain Local group. Then you can
> > add
> > global groups and domain local groups from other domains within your
> > forest
> > to this group.
> >
> > Depending upon how large your network is and replication latency within
> > and
> > how often the members of the groups change, I suggest Domain Local over
> > universal.
> >
> > William P.
> >
> > "George" wrote:
> >
> >> Hi, Can I permission a GPO to an univesal group ( that consists of
> >> members
> >> in other domain in the same forest )? If not , is there any workaround ?
> >> I
> >> only have permission in our domain and I can not link our GPO to other
> >> domain.
> >>
> >> George
> >>
> >>
> >>
> >>
> >>
>
>
>

Relevant Pages

  • Re: Cross Forest Administration
    ... Given that EA is a Universal Group it can ... contain objects from another forest is Domain Local. ... Enterprise Admins is a Universal group. ... users and trusts Forest C. Forest B holds resources used by internal ...
    (microsoft.public.windows.server.active_directory)
  • RE: restricted groups?
    ... transitive trust relationship between all domain in the forest, ... > impression that you create a Universal Group and add the Domain Admins from ... > A global group can contain other global groups and accounts from the same ... > other domain local groups from the same domain that the group belongs to. ...
    (microsoft.public.windows.server.active_directory)
  • RE: restricted groups?
    ... > transitive trust relationship between all domain in the forest, ... >> impression that you create a Universal Group and add the Domain Admins from ... >> A global group can contain other global groups and accounts from the same ...
    (microsoft.public.windows.server.active_directory)
  • Re: W2K3 cross domain trust
    ... > 2-way external non-transitive trust was formed between the domains. ... >> forest in which you reside. ... >>>> The group in abc.com is a universal group. ... >>> fuctional level of your domain higher than W2K Native mode. ...
    (microsoft.public.windows.server.active_directory)