how to link a Group Policy Object to a certain group of users?
i only know the way tat GPO can apply to the entire domain
or local group policy applies to a workstation, but how to make it only affect certain user groups?
please list the procedures in detail, any help greatly appreciated
or local group policy applies to a workstation, but how to make it only affect certain user groups?
please list the procedures in detail, any help greatly appreciated
Excellent info from tfl. Just remember your approach should be "extreemely caucious" when planning to apply gpo's. The goal should be to obtain the desired effect with as few gpo's as possible so tracking undesirable effects & client login performance does not become an issue. This type of work should be 98% planning, 2% deployment.
How and when Group Policy is applied
User and computer policy
User policy (settings located under the User Configuration node in Group Policy) is obtained when a user logs on.
Computer policy settings are located under Computer Configuration, and are obtained when a computer boots.
Users and Computers are the only types of Active Directory objects that receive policy. Specifically, security groups do not have policy applied to them. Instead, for performance reasons, security groups are used to filter the policy by way of an Apply Group Policy access control entry (ACE), which can be set to Allow or Deny, or left unconfigured.
Order of application
Policies are applied in this order:
The unique local Group Policy object.
Site Group Policy objects, in administratively specified order.
Domain Group Policy objects, in administratively specified order.
Organizational unit Group Policy objects, from largest to smallest organizational unit (parent to child organizational unit), and in administratively specified order at the level of each organizational unit.
By default, policies applied later overwrite previously applied policies when the policies are inconsistent. If the settings are not inconsistent, however, earlier and later policies both contribute to the effective policy.
Policy can be filtered by security group membership
A security group ACE on a Group Policy object can be set to Not configured (no preference), Allowed, or Denied. Denied takes precedence over allowed.
Blocking policy inheritance
Policies that would otherwise be inherited from higher site, domain, or organizational units can be blocked at the site, domain, or organizational unit level.
Enforcing policy from above
Policies that would otherwise be overwritten by policies in child organizational units can be set to No Override at the Group Policy object level.
User and computer policy
User policy (settings located under the User Configuration node in Group Policy) is obtained when a user logs on.
Computer policy settings are located under Computer Configuration, and are obtained when a computer boots.
Users and Computers are the only types of Active Directory objects that receive policy. Specifically, security groups do not have policy applied to them. Instead, for performance reasons, security groups are used to filter the policy by way of an Apply Group Policy access control entry (ACE), which can be set to Allow or Deny, or left unconfigured.
Order of application
Policies are applied in this order:
The unique local Group Policy object.
Site Group Policy objects, in administratively specified order.
Domain Group Policy objects, in administratively specified order.
Organizational unit Group Policy objects, from largest to smallest organizational unit (parent to child organizational unit), and in administratively specified order at the level of each organizational unit.
By default, policies applied later overwrite previously applied policies when the policies are inconsistent. If the settings are not inconsistent, however, earlier and later policies both contribute to the effective policy.
Policy can be filtered by security group membership
A security group ACE on a Group Policy object can be set to Not configured (no preference), Allowed, or Denied. Denied takes precedence over allowed.
Blocking policy inheritance
Policies that would otherwise be inherited from higher site, domain, or organizational units can be blocked at the site, domain, or organizational unit level.
Enforcing policy from above
Policies that would otherwise be overwritten by policies in child organizational units can be set to No Override at the Group Policy object level.
ASKER
wat if i want some users in the OU apply a different GPO to other users within the same OU (without create sub OU ) ??
btw, if u don't assign the read permission on the GPO to the an user or a group of users, would tat potentially mess things up??
You would have to create groups in the OU and assign the GPO to the appropriate group.
" if u don't assign the read permission on the GPO to the an user or a group of users, would tat potentially mess things up?? "
I do not really think so. Since Apply is what applies the GPO not read.
" if u don't assign the read permission on the GPO to the an user or a group of users, would tat potentially mess things up?? "
I do not really think so. Since Apply is what applies the GPO not read.
ASKER
how to link GPO to a "group", usually it only can be linked to a domain or OU??
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
1. You can create an organisational unit (OU) using Active Directory Users and Computers. YOu can then move users (and computers) into the OU, and then create new OU GPOs that only appy to the users or computers in that OU.
2. You can next OUs, so that the OU "UK" could contain an OU "London" which could contain another OU "North London". OU policies are inherited, by default - so a user in the North London OU inherits domain, UK and London policies. You can turn inherintance off, and can force inheritiance, so it gets a little tricky to design and troubleshoot if your domain structure is deep or complex.
3. You can do what's called Group Filtering. Create a policy at the domain level (or OU level) and change the permissions on the GPO to allow only the group you want the policy to apply for to have read and apply policy permissions. If you had a group, Sales Managers who you wanted the policy to apply for, you'd remove all groups from the policy's ACL, and then add the sales manager group and give it read and apply policy permissions. I do not recommend this approach - if you can avoid it, you should. It gets very complex to debug.
4. Whatever you do, get GPMC. This will not run on a Win2k Domain Controller, but it does run on XP and can be used to manage group policy in a win2k environment.
HTH
Thomas