GPO and trusted relationships

Hi Filip Gronostaj,

You need to ensure that the Domain A computer account can read Domain B user policies, and that Domain B users have the necessary authentication and access rights in Domain A.

Step 1: Verify “Allowed to Authenticate”

On each computer (or OU) in Domain A that Domain B users will log into:

Open Active Directory Users and Computers (ADUC).

Locate the computer account (or OU).

Go to Security → Advanced → Add.

1. Add the Domain B\Authenticated Users (or specific groups/users) and grant:
   • “Allowed to Authenticate”
   • “Log on locally” (or “Allow log on through Remote Desktop Services” if RDP)
   • “Access this computer from the network”

Without this, authentication succeeds but GPO processing may still fail.

Step 2: Ensure SYSVOL and GPO Access Across Trust

Domain A’s computer account must read SYSVOL/GPO content that might include user policies from Domain B.

Confirm that the trust direction is two-way, not one-way.

• Ensure the Domain A computers and Domain B users can resolve DNS records for each other.

Make sure Domain A computers have permission to read Domain B user objects and GPOs, or consider replicating relevant policies into Domain A.

Step 3: Test with Loopback in Replace Mode

As a diagnostic step, temporarily set the GPO loopback mode to Replace instead of Merge.

If policies apply in Replace mode but not Merge mode, this confirms the user GPO retrieval issue (Merge needs both).

Step 4: Alternative Workarounds

If you can’t fully relax Selective Authentication or modify the trust permissions:

• Create Domain A-side user accounts specifically for cross-domain login.
• Or configure a GPO in Domain A that contains both computer and “user” settings (using Replace mode) to simulate loopback behavior.
• As a last resort, deploy required user settings via local GPO or startup scripts instead of relying on domain GPO merge logic.You need to ensure that the Domain A computer account can read Domain B user policies, and that Domain B users have the necessary authentication and access rights in Domain A.

If you think this information is useful, please hit "accept answer" so that other people can benefit too.

Best regards,

VP

The error you’re encountering—“cannot download policies for the user because they don’t exist”—indicates that the Group Policy (GPO) processing is failing to retrieve the user policies from Domain B, which is critical for the Loopback Processing in Merge mode to function correctly. This suggests that while authentication and basic access are working, the GPO retrieval across the trust relationship with Selective Authentication is still misconfigured or restricted.

Let’s address this step-by-step to resolve the issue:

1. Verify GPO Permissions Across Trust: The error implies that the Domain A computer cannot access the Domain B user policies stored in SYSVOL. Since Selective Authentication is enabled, explicit permissions are required:
   • In Domain B’s Active Directory Users and Computers (ADUC), navigate to the OU containing the user accounts or the GPO applied to them.
     • Right-click the OU or GPO, select Properties > Security > Advanced.
       • Add the computer account of the Domain A computer (or a security group containing it) and grant Read and Apply Group Policy permissions.
         • Ensure the Domain A computer account is also added to the Authentication tab with “Allowed to authenticate” if not already configured.
         1. Check SYSVOL Accessibility: The Domain A computer needs to access Domain B’s SYSVOL share to download the user policies.
            • On a Domain A computer, use the command net view \<DomainB_DC> (replace <DomainB_DC> with a Domain B domain controller’s name) to test connectivity.
              • If access is denied, verify that the trust relationship allows Domain A computers to access Domain B SYSVOL. You may need to adjust firewall rules or trust properties to permit this.
              1. Validate DNS and Trust Configuration: GPO retrieval relies on proper name resolution. Ensure Domain A computers can resolve Domain B domain controllers via DNS:
                 • Run nslookup <DomainB_Domain> from a Domain A computer to confirm DNS resolution.
                   • If DNS is misconfigured, update the Domain A DNS settings to include Domain B’s DNS servers or create conditional forwarders.
                   1. Temporary Workaround with Replace Mode: Since the user policies from Domain B aren’t downloading, switch the Loopback Processing mode to Replace in the GPO as a diagnostic step:
                      • Edit the GPO in Domain A, go to Computer Configuration > Policies > Administrative Templates > System > Group Policy, and set Configure user Group Policy loopback processing mode to Replace.
                        • Apply the GPO and test again. If this works, it confirms the issue is specific to merging Domain B user policies, and we can focus on fixing the cross-domain policy retrieval.
                        1. Alternative Solution: Mirror Policies in Domain A: If cross-domain policy retrieval cannot be resolved due to Selective Authentication constraints, consider creating a GPO in Domain A that mirrors the necessary user policies for Domain B users:
                           • Duplicate the relevant user settings into a GPO linked to the OU containing the Domain A computers.
                             • Use Replace mode to apply these settings, ensuring they are tailored for Domain B users (e.g., via security filtering with a group containing Domain B users).
                             1. Review Event Logs: Check the Event Viewer on the Domain A computer for Group Policy-related errors:
                                • Navigate to Event Viewer > Windows Logs > System or Application, and look for events with source GroupPolicy or UserEnv.
                                  • Note any specific error codes or messages and share them with me for further analysis.

The root cause appears to be a permission or trust configuration issue preventing the Domain A computer from accessing Domain B’s user policies. After applying these steps, please test the update process again and let me know the results or any new error messages.

If you find this useful, please accept the answer so that others can benefit too. Thank you :)

Vivian

Hi Filip Gronostaj,

Has your issue been solved? If it has, please accept the answer so that others can benefit too. If not, is there anything I can help you with? Please let me know.

Vivian