Can Group Policy Administrator export GPOs to untrusted domains?
How does the Group Policy AdministratorÂ Server component function with domains that have no trusts for the Export Override functionality?
NetIQ Group Policy Administrator 4.x
Cannot export a GPO to an untrusted domainÂ usingÂ anÂ export override account.
The Server component is implemented asÂ a COM+ Application in Microsoft Internet Information Server (IIS).Â Each COM+ Application can on handle one set of credentials.Â If you use different credentials per domain, you must install a new server component for each domain. To use the export overrideÂ functionality, the server componentÂ must trustÂ the target domain that youÂ want to export toÂ and alsoÂ trust the domain whereÂ the repository database is installed.
When you export a Group Policy Object (GPO) through Export Proxy, an export request is sent to the GPA server. The request contains GPO and repository location information. The GPA server component connects to the repository to read the GPO settings and then writes to Active Directory.Â Since it is based on IIS, the account has to be use Microsoft Windows authentication to read from the repository database and so requires the trust relationship.Â Â
In NetIQ Group Policy Administrator 5.0, you can now export GPOs to untrusted domains using the new GPA server component. The new GPA server component isÂ not dependent on IIS.
For more information on how to configure GPA 5.0 to export to untrusted domains, see the NetIQ Knowledge Base article NETIQKB44875:Â "HowÂ do I configure theÂ server piece of GroupÂ Policy Administrator toÂ work in a non-trusted domain configuration?" https://www.netiq.com/kb/esupport/consumer/esupport.asp?id=NETIQKB44875.