How do I manage an untrusted domain with GPA?

  • 7016812
  • 01-Sep-2015
  • 14-Jan-2016


NetIQ Group Policy Administrator 6.x


Within GPA the ability exists to manage the GPOs from an AD domain which does not share a trust with the GPA Repository domain. GPA can be configured to manage an untrusted domain.


  1. Configure network access to the managed domain
    1. Before attempting to add the managed domain, ensure there is Bi-Directional Network access from the GPA console and from the GPA to all domain controllers within the managed domain.
      • Refer to the GPA Administration Guide documentation ( for details about the Firewall ports needed.  The documentation has a section entitled ‘Ports used by GPA”, which provides the details needed to configure the network firewalls.
      • Use Microsoft CMD line utility NLTEST with the /DSGETDC switch to verify network access to the domain controllers
  2. Once the firewall is configured, launch the GPA Console.
    1. The logged on console user will need GPA Repository rights to add a new domain.
      • See the GPA Administration Guide documentation ( for details about GPA Permissions.
  3. Use the GPA console to add the managed domain
    1. Right click on the Repository node and choose add new managed domain.
      • When adding the managed domain, GPA will require an AD account local to that domain with Domain Admin Rights
        • Contact NetIQ Technical Support for assistance with configuring GPA to use a Non Domain Admin account.
  4. Configure GPA Repository permissions for AD users from the untrusted domain.
    1. See NetIQ KB 701368 ( ), for details on how to grant an untrusted console user GPA Repository permission.
  5. Configure the account details for the managed untrusted domain
    1. From the right click properties menu of the managed domain, click the accounts tab
      • The untrusted access account is used to read the GPO details from the domain and also used to run GP Settings reports
        • This account is an access account and not an actual GPA Console end user account
      • The Export Override Account is used to write exported data to live AD.
        • This account will need full Domain Admin rights within the managed domain
          • Contact NetIQ Technical Support for assistance with configuring GPA to use a Non Domain Admin account.
  6. Import GPOs from the untrusted domain into GPA
    1. Create new GPA Repository categories within the managed domain
    2. From the right click menu on a category, choose the import GPO option.
      1. The untrusted access account will need to be configured for this domain.

Additional Information

The GPA Offline Mirror utility is unable to run for untrusted domains. All GPOs must be imported manually using the GPA console.

For details on Microsoft NLTEST , run NLTEST /? . The domain controller specific switches are as follows:
 /DESGETDC:<FQDN of Managed Domain>
 /DESGETDC:<FQDN of Managed Domain> /GC
 /DESGETDC:<FQDN of Managed Domain> /PDC