Group Policy in Parent/Child or Parent/Tree domains

InfoTechdude 156 Reputation points
2020-09-08T12:49:21.527+00:00

Hi,

I'm trying to crack the "mystery" of Parent/Child/Tree domains. How do you apply group policy to child or tree domain? Let's say :
parent is contoso.com
child is usa.contoso.com
tree is fabrikam.com

What are the permissions needed? What is the difference in upgrading domains in parent/child/tree relationship from applying group policy in parent/child/tree relationship. In my opinion these topics are most needed and you can't find ANY info on them.

In forest root domain you have got both Ent and Schema Admins. What do you got in child? What do you got in tree? What can you do within child/tree domain without needing the perms from parent domain?

Thanks for clarification!

Thanks!

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,770 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,899 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,729 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vadims Podāns 9,036 Reputation points MVP
    2020-09-08T13:49:58.577+00:00

    Group policies are domain-wide objects with some exception: you can apply a GPO to a site that can contain several domains or their parts.

    What do you got in child?

    Domain Admins only.

    There are two administrative groups in AD:

    • Domain Admins. This group exist in every domain and has full permissions in respective domain only. Domain Admins can write to domain naming context of that respective domain.
    • Enterprise Admins. This groups exist only if forest root domain and has permissions to write to configuration naming context which is common to entire AD forest.
    1 person found this answer helpful.
    0 comments
  2. Fan Fan 15,291 Reputation points Microsoft Vendor
    2020-09-09T01:58:12.167+00:00

    Hi,

    A GPO is stored on a per domain basis.
    As Crypt32 said, if you want to link a GPO for all the domains within the forest, we can link the GPO to a site.
    Following link for your reference:
    Linking GPOs to Active Directory Containers
    Thanks Crypt32 for the proper advice!
    If there's anything you'd like to know, don't hesitate to ask.

    Best Regards,

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments