Windows Services Index | Overview | Getting Started | How To | Forest Design | Resources | Troubleshooting | Policies | Contact Info

Group Policy behavior with an external K5 trust

Your user account in the ACCESS domain is made up of two major parts. The first part is your Kerberos 5 ticket from the MIT K5 realm dce.psu.edu. The second is the PAC data contained in the ticket that is used for authorization. This PAC data contains the user's SID and the SIDs of the groups the user is a part of. Because the K5 ticket is from the K5 realm the user is seem as an account from a cross forest trust. This means in order for the policies on put on the user to take affect and administator must enable cross forest roaming profiles and group policies. This is only useful if you want to policies applied to the domainusers container to be applied to the user.

Group Policy Application and Hierarchy?

Group policy can be applied to a machine via the local setting or site, domain or OU in Active Directory. Policies are applied in the order of:

1. Local Group Policy object
2. Site
3. Domain
4. OU

This means that something set at the site level but set again at the OU level the setting at the OU level will overwrite the setting at the site level. The lowest level OU where something is set will be what gets applied.

Group Policies are broken into two catagories: user setting and computer setting. Only user settings can be set on user objects and only computer settings can be set on computers. Since only enterprise administrators have permissions on the domainusers container an admin can not directly set group policies on user accouts. To bypass this action, an administrator must enable loopback processing.

Prerequisites:

1. Install the group policy management console.
2. You must have a properly delegated group policy object or an OU Admin account.
3. Read and understand the basics of group policies in the Penn State Active Directory® environment.

Create the GPO

In order to create the GPO, you must have an administrative account given to you by an enterprise administrator. First, log on to the machine with the GMPC installed using your admin account. Next, open the GMPC and double-click Forest:access.psu.edu; double-click domains; double-click access.psu.edu. You should see:

Next, right-click Group Policy Objects and click <New>. Properly prefix your GPO and click <Apply>. Next, click Group Policy Objects. Find your GPO, right-click it, and select <Edit>. Edit the GPO appropriately.

Apply the GPO

Log on with an account that has been delegated permissions over your OU and a machine with the GPMC installed. Open the GMPC and navigate to the OU you wish to apply the GPO to. Right-click the OU and select link an existing GPO. Select your GPO and click <OK>.

How To: How to Allow Cross Forest Roaming Profiles and Group Policies

Prerequisites:

1. Install the group policy management console.
2. You must have a properly delegated group policy object or an OU Admin account.
3. Read and understand the basics of group policies in the Penn State Active Directory® environment.

Apply the delegated GPO to users

In order to apply user settings from the domainuser container or to allow roaming profiles, you must enable Cross Forest Roaming Profiles and Group Policies. Two modes exist for loopback processing; the first is merge and the second is replace. The merge setting will allow the group policy engine to take other policies applied to users and merge them with this policy. This is useful for getting the policies applied to the user accounts by the Enterprise Administrators. The replace setting acts as its name indicates. It replaces settings on the OU where the user account resides, with the policies set on the OU where the computer resides. In the following steps, we will be restricting access to the control panel from users who log on to workstations located in the AIT Workstations OU:

1. Edit the GPO where the computer account for the machine that a user will log on to resides.
2. Enable the policy setting Computer Configuration/Administrative Templates/System/Group Policy/Allow Cross-Forest User Policy and Roaming User Profiles.

3. 

4. Click <OK>.

Prerequisites:

1. Install the group policy management console.
2. You must have a properly delegated group policy object or an OU Administrative account.
3. Read and understand the basics of group policies in the Penn State Active Directory® environment.

Apply the delegated GPO to users

In order to apply user settings to a user you must enabl loopback processing. There are two modes to loopback processing. The first is merge. This setting will allow the group policy engine to take other policies applied to users and merge them with this policy. This is useful for getting the policies applied to the user accounts by the Enterprise Admins. In the following steps we will be restricting access to the control panel on from users that log on to workstations located in the AIT Workstations OU.

1. Edit the GPO and set the user group policies settings you wish to apply. In this example, we are enabling the setting User Configuration/Administrative Templates/Control Panel/Prohibit access to the control panel.



2. Enable the policy setting Computer Configuration/Administrative Templates/System/Group Policy/User Group Policy loopback processing mode.
3. Select the appropriate Mode. (Merge is suggested.)



4. Apply the GPO to the OU contianing the computer where the user will log on; for this example, it will be the PSUOUs/UP/ITS/ASET/AIT/workstations OU.