Linking GPOs across forests

by Mitch Tulloch [Published on 20 June 2012 / Last Updated on 20 June 2012]

Some tips concerning linking Group Policy Objects across Active Directory forests.

It's possible to link a GPO in a domain in one forest to a domain or OU in another forest, but to do this you need to first do two things:

1. Make sure there is a two-way trust between the forests.

2. Enable the "Allow cross-forest User Policy and Roaming User Profiles" policy setting.

However, just because you can do this doesn't mean it's a good idea.  For one thing, thel latency that is typically experienced in this scenario due to LDAP queries to the domain in the remote forest and reading the sysvol share there can slow down Group Policy processing.  And as the admin of the local domain, you have to decide whether you want your users or computers to be goverened by policies that you have no control over.

So instead of linking GPOs across forests, consider the alternative of exporting the GPO from the domain in the remote forest and importing it into your local domain.  That way you don't have to worry about latency, trust, firewalls ,and lack of control over policy.

Mitch Tulloch is a seven-time recipient of the Microsoft Most Valuable Professional (MVP) award and widely recognized expert on Windows administration, deployment and virtualization. For more tips by Mitch you can follow him on Twitter or friend him on Facebook.

See Also

Featured Links