Group policies are domain-wide objects with some exception: you can apply a GPO to a site that can contain several domains or their parts.
What do you got in child?
Domain Admins only.
There are two administrative groups in AD:
- Domain Admins. This group exist in every domain and has full permissions in respective domain only. Domain Admins can write to
domain naming context
of that respective domain. - Enterprise Admins. This groups exist only if forest root domain and has permissions to write to
configuration naming context
which is common to entire AD forest.