RE: [ActiveDir] Cross forest policies - boxes in Win2k domain, users in win2k3 s ingle domain forest

[Ulf B. Simon-Weidner]

Title: Cross forest policies - boxes in Win2k domain, users in win2k3 single domain forest

Hello Stephen,   you'll need to set the "Allow Cross-Forest User Policy and Roaming Profiles" Policy, and AFAIK it is also introduced in Windows 2000 SP4. You are able to set this via registry also. We had a somewhat similar scenario: W2k Machines in a NT4 Domain, Useraccounts and most of the servers in a WS2k3 Domain. We recognized at the clients that they did not apply the policy due to the Cross-Forest behavior after applying SP4 on them. Setting the policy fixed that. The Events we found are also mentioned in the description of the policy:   When this setting is Not Configured: - No user based policy settings are applied from the user's forest - User will not receive their roaming profiles, they will receive a local profile on the computer from the local forest. A warning message will be shown to the user, and an Event Log message (1529) will be posted. - Loopback Group Policy processing will be applied, using the Group Policy Objects scoped to the machine. - An Event Log message (1109) will be posted stating that Loopback was invoked in replace mode.   Hope this helps.   Ulf B. Simon-Weidner   From: Wilkinson, Stephen To: [EMAIL PROTECTED] Cc: Kent, Ben Sent: Thursday, April 01, 2004 12:36 AM Subject: [ActiveDir] Cross forest policies - boxes in Win2k domain, users in win2k3 s ingle domain forest Hello all, Having moved all of our users from an NT4 account domain to a Windows 2003 domain, we have a requirement to set policies on our citrix servers which sit in a separate windows 2000 forest, to control policies for users from our trusted single domain windows 2003 forest.  E.g. to run registry editing tools etc This a bit long-winded but this is what we are trying to do and are not sure how to proceed: The "Default User" on the Citrix servers is configured with some default settings, including the "disable registry editing tools" policies. When we were still using an NT4 account domain the Citrix servers were configured to get .POL files from the hard drive instead of the DC's, this way we had NT4 policies that were only in effect when logging into the Citrix servers, also there were group membership controls in the .POL files so that admin accounts had the policies lifted. The problems we need to solve are 1. Policy lockdown for users coming from outside the win2k domain (where the Citrix servers live) when they logon to the Citrix servers. At present we are relying on the settings inherited from "Default User", for the Win2k3 domain accounts. We need a way to have policies that apply to the Win2k3 domain users, but only when they logon to the Citrix servers (which are the only member computers in the win2k domain), policy loop back has been suggested (apply the computer policy to users regardless of the domain they logged on from), which looks promising, assuming they can be controlled by user group memberships (in win2k3 domain) to stop the admins getting the user policies. 2. Not to apply the policies for Admin Win2k3 domain accounts when logging onto the Citrix boxes. Cross forest GPO's only work when both domains are W2K3, which I would expect is not going to happen any time soon. And we need to relax the policies being picked by the admins Hope this make sense !? Stephen Wilkinson Tel       +44(0)207 4759276 Mobile  +44(0)7973 143970 E-Mail: [EMAIL PROTECTED] -------------------------------------------------------------------------------- The information contained herein is confidential and is intended solely for the addressee. Access by any other party is unauthorised without the express written permission of the sender. If you are not the intended recipient, please contact the sender either via the company switchboard on +44 (0)20 7623 8000, or via e-mail return. If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. --------------------------------------------------------------------------------

smime.p7s
Description: S/MIME cryptographic signature