GPO’s between domains with a trust relationship

active-directorygroup-policy

Is it possible to apply a GPO from one domain to another domain with a trust relationship? We have a GPO that adds a management security group to the local admin group of domain joined computers. My understanding is that the GPO of Domain can only be applied to objects within its own domain. Could a security group of Domain A be added to a GPO created within Domain B to be added to the local admin group of computers within Domain B?

GPO – Domain A <- Trust -> Domain B

Thank You!

Best Answer

My understanding is that the GPO of Domain can only be applied to objects within its own domain.

Your understanding is spot-on - there is no such thing as a cross-domain GPO

Could a security group of Domain A be added to a GPO created within Domain B to be added to the local admin group of computers within Domain B?

Yes!

Most certainly. If you use the Local Users and Groups group policy preference settings, you specify a Local Group name (ie. Administrators), and then add an explicit list of members. These members can come from anywhere within your own forest, but you can also choose security principals from other domains that you trust!

Just change the "Location" in the object picker:

enter image description here

Best Answer

Yes!

Related Solutions

Windows – GPO Troubleshooting – Security Filtering – Computer Configuration

Restricted group local administrators can RDP into DC

Related Topic