Group Policy features that are supported across forests

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Group Policy features that are supported across forests

The Windows ServerĀ 2003 family introduces a powerful set of new features that enable you to authenticate and authorize access to resources from separate, networked forests. With full trusts established between forests, you can manage Group Policy throughout Active Directory regardless of the forest, which provides greater flexibility especially in large organizations. For more information about accessing resources across forests in Active Directory, see Accessing resources across forests. For more information on forest trusts, see Forest trusts.

Following is a list of the Group Policy features that are supported across forests:

  • Interactive logon

    The following table lists the interactive logon tasks that are supported across forests.

    Task Support across the domain? Support across domains in the same forest? Support interactive logon across forests?

    Apply policy to a user object

    Yes

    Yes

    Yes

    Apply policy to a computer object

    Yes

    Yes

    Yes

    Support Group Policy loopback processing

    Yes

    Yes

    Yes

    For example, User1 is located in forestA and computer1 is located in forestB. User1 goes to forestB and logs into computer1. In this scenario, computer policy is applied to computer1 from forestB, user policy is applied to user1 on computer1 from forestA. Site policy might be applied depending on the subnet to which computer1 belongs.

    For interactive logon across forests with loopback processing, Group Policy objects with loopback enabled for merge or replace are applied across forests under the same logon model as specified for interactive logon. For more information about loopback, see Order of processing settings.

  • Network logon

    The following Group Policy extensions are supported for network logon across forests:

    • Software distribution points located in another forest

    • Logon scripts on a shared network directory in another forest.

    • Roaming user profiles stored on a shared network directory in another forest. For more information, see Using roaming user profiles.

    • Redirected folders stored on a file share in another forest. For more information, see Folder Redirection.

  • Delegation

    Delegation across forests is supported for managing Group Policy links. Other tasks such as creating, deleting, or modifying Group Policy objects across forests is not supported.