One of the questions I often see is how do I only apply group policies to certain groups or users or computers.
...for those of you already familiar with group policy you will know this already. This post is for those new to working with group policies. If you were sent here by a question I participated in then feel leave a comment if this helps you out.
This entry will serve to supplement Microsoft's article http://technet.microsoft.com/en-us/library/cc781988.aspx
I will first assume you are using GPMC to manage your group policies.
First thing is that group policies can't be applied directly to groups. You link a group policy at the site, domain, or OU level. The policies apply to either users and/or computers.
So suppose you have a policy that you only want to apply to a subset of users or computers. The first thing is to create a group and place the users or computers you want this policy to apply to into that group (I'll use a global group in this example). We will call that group testgroup1.
In GPMC select your group policy object. In GPMC you will see the Scope tab. Notice that by default the policy will apply to Authenticated Users
You will remove authenticated users. Then you can add your testgroup1. Now the policy will only be applied to your testgroup1
So what really happens in the background when you make that change?
If you go to the delegation tab you will see an Advanced button.
As you can see testgroup1 now has "read" and "Apply Group Policy" set to Allow. So the policy will apply to that group. Read and Apply group policy are both needed in order for the user or computer to receive and process the policy
...at this point some of you may be asking, what if I wanted to "deny" the policy to a group or user. If you instincts tell you to apply set Read & Apply Group Policy to "deny" then you would be correct.
In the following screenshot I've set deny permissions for Read & Apply Group Policy and testgroup1 will not receive the policy.
That is really all there is to security filtering and group policies...not so hard after all. Please feel free to contact me if you have any questions about this.