Targeting GPOs

This page describes issues related to how GPOs are targeted to machines and users. Having created GPOs (that are stored in the domain) there are three basic ways to scope the application of a GPO:

Linking to a container. By linking a GPO to a site, domain or OU, all the members of that container are affected by the GPO. Note that links can be enabled or disabled--a disabled link means that the GPO is not processed by users and computers that are subject to it.
Security Filtering. By modifying the security groups associated with a GPO, the application of the GPO can be further refined. For example, if a GPO is linked to OU A and has a security filter for the MyGroup security group, then all accounts that are in OU A and MyGroup will be affected by the GPO. By default a newly created GPO's security Access Control List (ACL) contains an Access Control Entry (ACE) for the Authenticated Users group which has the Read and Apply Group Policy permissions. Since Authenticated Users includes all computers and users in the domain, a new GPO will be processed by all users and computers. So, for example, if you want to restrict a GPO's application to only the users in MyGroup, you would remove the Authenticated Users ACE and add one for MyGroup with Read and Apply Group Policy permissions.
WMI Filters. A further refinement of the application of policy is available by applying WMI filters. These are evaluated on the client and use the results of a WMI Query Language (WQL) query to decide whether the GPO should be applied. If the WMI filter returns results then the GPO is applied, otherwise it is not.

Last Modified 1/6/05 12:06 PM

Hide Tools

Site
Changes
Index
Search

User
Log In
Register