How to compare GPOs from different domains/ forests (4237294)

How can a difference report be run on GPOS from separate Domains/ Forests?

There must either be a 2 way transitive trust; or minimum trust necessary is that the test domain (Test.com below) trusts the service account's domain (Main.com below). If this is the case, then the service account can be granted access to the GPOs in test.com, and the ExternalDomains registry key should work (instructions below).

Follow these steps after the trusts have been confirmed, and the environment above has been configured (or similar):

1. Create/ add the following registry key to the GPOAdmin server in MAIN.com:
   HKLM\Software\quest software\quest group policy manager\vccconfig
2. Create a new String Value, Name "ExternalDomains" (Without the quotes) data= TEST.com Domain
3. Restart the GPOAdmin service
4. Open the GPOAdmin Console
5. TEST.com is visible under Live Environment
6. Register the GPOs you want to compare
7. Select Reports, New Report, Difference Report. This will provide the ability to choose any 2 registered GPOs on this server to run the difference report on.

1. Get the objectGUID for each domain in the ExternalDomains list from ADSIEdit
2. For each domain run the following SQL:
   INSERT INTO [dbo].[Domains] ([DomainID], [DomainName], [ShowInLiveView], [IsAzure]) Values ('<DomainObjectGUID>','<DomainFQDN>',1,0)
3. For each domain Get the objectSID for the Domain Users group for each of the domains using ADSIEdit
4. For each of these run the following SQL:
   INSERT INTO [dbo].[DomainSecurity] ([DomainID],[TrusteeSID],[DomainRights]) values ('<DomainObjectGUID>', '<DomainUsersSID>', 255)