How to add an un-trusted domain user in GPA

NetIQ Group Policy Administrator (GPA) allows Group Policy Administrators to manage GPOs from domains that do not have a direct trust with the GPA Repository Server. Due to the fact that the domain is un-trusted, you must first grant local GP Admins from the un-trusted domain rights within GPA.

1. Launch the GPA Console from the same domain as the GPA Repository, in the context of an AD User who is a member of the Domain Group called GPA_REPOSITORY_MANAGEMENT or an account that has Manage GPR Security permissions.
2. In the left pane, expand GP Repository, and then select the GP Repository.
3. On the Action menu, select Add Untrusted Domain User, and then click next.
4. Type the name of the SQL Server logon account you want to create in the User Login field.
5. Type the password for the new SQL Server logon account in the Password field.
6. Confirm the password in the Re‑Enter Password field, and then click OK.
7. After creating the SQL Login, click the next button, to continue mapping the SQL User to an AD user from the Un-Trusted Domain
8. Type the user name of an account from the untrusted domain you are adding to the GP Repository in the User Name field.
9. Specify an account to which you will assign specific GPA permissions.
   
10. Specify the NetBIOS name or IP address of the domain controller for the untrusted domain in the Domain Controller field.
11. Under Connect As,  user name and password of a domain administrator account from the untrusted domain.
    • The Remote User Login wizard uses these credentials to verify the account to which you will assign GPA permissions.
12.  Click Finish

Once the SQL Login ID has been created, and mapped to an Un-trusted Domain User; you will need to grant security:

1. Launch the GPA Console from the same domain as the GPA Repository, in the context of an AD User who is a member of the Domain Group called GPA_REPOSITORY_MANAGEMENT or an account that is a has the Manage GPR Security permissions.
2. In the left pane, expand GP Repository and select the GP Repository, domain, category, or GPO for which you want to set individual security settings for a user or group.
3. If you have not already enabled the Manage GPR Security option, on the View menu, click Manage GPR Security.
4. On the Action menu, click Properties.
5. Click the GPR Security tab.
6. Select the user or group whose security permissions you want to modify.
   • The newly added Un-trusted domain user will show up as an unresolved SID
7. Configure security settings for the selected user or group by selecting or clearing the Allow and Deny check boxes for each security permission.
8. When you finish configuring the security settings, click OK.

As of GPA 6.9.x the process to grant security to trusted or untrusted users has changed. Security is now granted via Active Views.

Once the untrusted user has been added to GPA, their account will be represented within GPA as the SID of the account. GPA also can only apply security to AD groups, provided their AD domain has a direct trust with the GP Repository Server Domain.