Can Group Policy Administrator export GPOs to untrusted domains? (NETIQKB42319)

  • 7742319
  • 02-Feb-2007
  • 01-Oct-2007


Can Group Policy Administrator export GPOs to untrusted domains?

How does the Group Policy Administrator Server component function with domains that have no trusts for the Export Override functionality?

NetIQ Group Policy Administrator 4.x

Cannot export a GPO to an untrusted domain using an export override account.


The Server component is implemented as a COM+ Application in Microsoft Internet Information Server (IIS). Each COM+ Application can on handle one set of credentials.  If you use different credentials per domain, you must install a new server component for each domain. To use the export override functionality, the server component must trust the target domain that you want to export to and also trust the domain where the repository database is installed.

When you export a Group Policy Object (GPO) through Export Proxy, an export request is sent to the GPA server. The request contains GPO and repository location information. The GPA server component connects to the repository to read the GPO settings and then writes to Active Directory. Since it is based on IIS, the account has to be use Microsoft Windows authentication to read from the repository database and so requires the trust relationship.  

In NetIQ Group Policy Administrator 5.0, you can now export GPOs to untrusted domains using the new GPA server component. The new GPA server component is not dependent on IIS.

For more information on how to configure GPA 5.0 to export to untrusted domains, see the NetIQ Knowledge Base article NETIQKB44875: "How do I configure the server piece of Group Policy Administrator to work in a non-trusted domain configuration?"

Additional Information

Formerly known as NETIQKB42319