Cross-Forest Group Policy application

After a couple of weeks without new postings on the blog, here goes a Windows and Group Policy behavior that I have been discussing with a customer lately. This is all about Group Policy application when considering a cross-forest logon.

Thinking about Group Policy application, under “well-known”, normal circumstances, both the user and the computer account reside in the same Active Directory domain but in different OUs. During computer startup, computer Group Policy is applied, where the computer evaluates its current OU location and walks up the OU tree to the domain name node, evaluating all GPOs linked on that way. After that, site-based GPO is evaluated. On that OU-tree way up, the computer considers only those GPOs that have Computer Configuration settings applied.

The same thing happens for a user. Based on the OU from the user, the Group Policy walks up the OU tree evaluating all User Configuration Group Policies on every node up to the domain node. After that, site-based GPOs are evaluated.

Considering “Loopback processing mode”, things can be a little more complicated here, as “loopback” changes the way Group Policy is applied. More on loopback, http://support.microsoft.com/kb/231287, http://social.technet.microsoft.com/wiki/contents/articles/windows-server-understand-user-group-policy-loopback-processing-mode.aspx here.

That’s how it works and that’s what you should feel comfortable with. Now, for cross-forest logons, things are a little different. Within your own domain and forest, you can be pretty sure what you configure and that the things you configure will be applied for both users and computers. That’s the whole point in Group Policy – you own both the user accounts and the computer accounts, link the GPOs to them and have a certain effect on them, based on which policies are linked and therefore applied.

This changes, once you consider a cross-forest logon, where a user in forest contoso.com logs into a machine in cohowinery.com. Being the owner of the machines in cohowinery.com, when guest users from contoso.com come and try to log on with their credentials on your machines (over the trust), according to normal GP behavior, they would receive their portion of User Group Policy – policies that you cannot control. They would come from their home forest, contoso.com.

The bad thing about this would be that, things you configure on the “User Configuration” side for your domain’s users, won’t be applied to foreign forest users when they log on to your boxes. Restrictions you put in place, say “Prohibit access to the Control Panel”, “Prevent access to registry editing tools” or “Desktop Wallpaper” will not apply. Instead, guest users would bring their portion of Group Policy they have configured from their forest. The settings they have and things you have configured in the “Computer Configuration” portion of all GPOs for the computer would be the RSOP there. Might not be a good thing, considering that these cross-forest users that use your computers should have the same “restrictions” and “security” configured as your own users.

Luckily, things work a little different over a forest, when users log on to computers in another forest. By default, Group Policy detects that the user comes from a different forest and switches Group Policy processing mode to “Loopback Processing Mode: Replace”. You can see that in both the gpsvc.log file and the Group Policy\Operational event log, although neither of them is 100% what and why it happens. The combination of the two tell you the whole story (“It’s loopback because the user comes from a different forest. It’s loopback in Replace mode”).

Now – how does that help? Using Loopback in Replace mode, when a cross-forest user logs on to our machine, the system won’t load the cross-forest user Group Policy settings the user brings. Instead, it would load all “User Configuration” based settings that are configured for our machine’s account. By default, if you’re not working with Loopback anyway, you don’t have “User Configuration” GPOs configured for your machines – why would you? Now, when this cross-forest user logs on, they at least don’t apply their own Group Policy, but they don’t apply the User Configuration GPs that you have for your users, either. In order to force that, you’d have to link all the relevant GPOs you want to apply to cross-forest users logging on in your forest, to the target machines, too. You link them twice, once for your own users and once for the machines you think a user from the other forest could log on in the future.

To sum it up: Group Policy application over a cross-forest trust works differently. When a user in forest contoso.com logs on to a machine in cohowinery.com, Group Policy is applied in Loopback Processing Mode: Replace for that session.
That’s the default behavior. Like many things in Windows, you can change that, too. There’s a special Group Policy you can enable to change the behavior so that, when a cross-forest user logs on to your machines, they apply their home-forest’s User Configuration GPOs just like there was no forest boundary. The policy is in “Computer Configuration\Administrative Templates\System\Group Policy – “Allow Cross-Forest User Policy and Roaming User Profiles”.

From the setting’s explain text: “(…)This setting affects all user accounts that interactively log on to a computer in a different forest when a trust across forests or a two-way forest trust exists.

When this setting is not configured:
-Â No user-based policy settings are applied from the user’s forest
-Â Users do not receive their roaming profiles; they receive a local profile on the computer from the local forest. A warning message appears to the user, and an event log message (1529) is posted.
-Â Loopback Group Policy processing is applied, using the Group Policy objects (GPOs) that are scoped to the computer.
- An event log message (1109) is posted, stating that loopback was invoked in Replace mode.
When this setting is enabled, the behavior is exactly the same as in Windows 2000: user policy is applied, and a roaming user profile is allowed from the trusted forest.
”

That’s how it works. Cross-Forest Group Policy application isn’t rocket science, but you need to know how it works, why it works its way and – in case you want to change it, prepare yourself.

Just one additional note here, though. If you’re going to use stick with the default cross-forest GP application behavior in Loopback: Replace and link custom User GPOs, make sure you allow the cross-forest users “Read” and “Apply Group Policy” permission to these GPOs – otherwise, they won’t be able to apply them. It sounds obvious, but since they come from a different forest, security filtering may hit you there. “Authenticated Users” works, “Domain Users” will not.

6 Comments so far

  1. Alan Burchill on October 31st, 2011

    Great Article… can you add a Tweet button to the post to make it easier to share…

  2. florian on October 31st, 2011

    Thanks Alan,

    will try. I haven’t touched the blog Software in months. :-)

  3. Andreas Gibson on October 31st, 2011

    Nice article Florian – it’s good to see you posting again!

  4. Alex verboon on October 31st, 2011

    Excellent article. And agree with Alan, great posts must be tweetet :-)

  5. JM on November 3rd, 2011

    Great article. thanks for posting.

  6. reto on July 29th, 2013

    thx