Group Policy in Forest and Multiforest Scenarios

Group Policy is primarily a domain-centric process. That is, Group Policy Objects (GPOs) are created to control users and computers that have accounts in specific domains. The GPOs are linked to the domain or the domain's OUs. The exception to this is the Site GPO, a rare beast that can impact users in multiple domains depending on the location of domain users and computer accounts and where they log on. However, site policies only affect computers and users whose accounts reside in that site. The site GPO is limited to a single forest. There is no Group Policy mechanism for managing users forest-wide, and there is no mechanism for implementing a single GPO that can impact multiple forests.

However, ...

Get Windows Server 2003 Security: A Technical Reference now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.