Allow Cross-Forest User Policy and Roaming User ProfilesID: oval:org.secpod.oval:def:19616 | Date: (C)2014-05-29 (M)2023-07-14 |
Class: COMPLIANCE | Family: windows |
The Allow Cross-Forest User Policy and Roaming User Profiles machine setting should be configured correctly.
Allows user-based policy processing, roaming user profiles, and user object logon scripts for interactive logons across forests. This setting affects all user accounts that interactively log on to a computer in a different forest when a trust across forests or a two-way forest trust exists. When this setting is not configured: - No user-based policy settings are applied from the user's forest - Users do not receive their roaming profiles; they receive a local profile on the computer from the local forest. A warning message appears to the user, and an event log message (1529) is posted. - Loopback Group Policy processing is applied, using the Group Policy objects (GPOs) that are scoped to the computer. - An event log message (1109) is posted, stating that loopback was invoked in Replace mode. When this setting is enabled, the behavior is exactly the same as in Windows 2000: user policy is applied, and a roaming user profile is allowed from the trusted forest. When this setting is disabled, the behavior is the same as if it is not configured.
Fix:
(1) GPO: Computer Configuration\Administrative Templates\System\Group Policy\Allow Cross-Forest User Policy and Roaming User Profiles
(2) KEY: HKLM\Software\Policies\Microsoft\Windows\System\AllowX-ForestPolicy-and-RUP
Platform: |
Microsoft Windows Server 2008 R2 |