How can group policy be applied to groups of computers

Posted on 2004-09-01
Last Modified: 2010-04-14
We currently have around 2200 machines running Windows 2000 on a Server 2000 network, and have been trying to get computers divided into groups so that some startup scripts can be run on them based on their locations.  At the moment it is not an option to divide the computers into separate OUs as each computer will probably want to be in more than one group.

The basic questions that I am trying to get answered are, can you apply group policy to a group of computers and if so how?
Question by:jhutch2000
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4

Assisted Solution

inlinemike earned 50 total points
ID: 11952213
If you had a 2003 server as a DC this would be alot easier.  It can be done through ACLs though.  It gets really tricky trying to troubleshoot and RSoP will become your best friend.  But if you want to look at how its done:

With at least one 2003 DC you can fully use the WMI filters found here:

I'd also recommend the Group Policy Management Console if you aren't currently using it.  It will streamline alot of the GPO functions into a single UI.  It takes some getting used to but I think you'll find its a lot easier to use than the standard mmc snap ins.
LVL 18

Accepted Solution

JConchie earned 50 total points
ID: 11953231
Actually, it ain't that hard....if you want to apply policy based on location, segment your network into different sites.....add individual machines to the necessary site....and apply policy at the site level.

Author Comment

ID: 11953599
At the moment using a 2003 computer isn't really an option, which is unfortunate is it seems that would be the answer so we wont rule it out for now.

However regarding the ACL it's possible that I am adding the wrong thing, to me it seems the most effective thing to add would be the group itself and give it read and apply group policy settings.  However this doesn't work.  The RSop tells me that the GP is not being applied to the group and I can't see why.  Any idea what would be best to add to the ACL?
I've tried adding the domain computers group.
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  


Author Comment

ID: 11961160
It looks like we're going to hold of on this and then try again to see if 2003 is any better, as under 2000 you can't apply a group policy to a security group, you can only use it to restrict the membership.
LVL 18

Expert Comment

ID: 12475690
The original question, as asked, was answered.

Author Comment

ID: 12475754
Your answer wasn'taccepted because of the number of different sites this would require setting up.  Which is also why the origional said that the PCs shouldn't be moved to apply it.
LVL 18

Expert Comment

ID: 12476164
That you don't like the answer does not negate the validity of it.  You asked how to organize Active Directory so that you could apply group policy to machines based on location.  That you don't like the amount of work involved is something you may want to discuss with Microsoft.....but I did tell you how to do it within the limitations of Windows 2000 Active Directory.

"Which is also why the origional said that the PCs shouldn't be moved to apply it."   You are completely misunderstanding the system.  You don't have to move the PCs anywhere....and they don't have to be in the same geographic location to be in the same OU or Site.  Both OUs and Sites are simply administrative units which exist only for the convienece of the Network administrator.

You also appear to be confusing OUs and Sites, which are administrative units to which group policy can be applied........with security groups.....which are only used for setting permissions on a resourse, such as a printer, a folder or an individual file.   That distinction does not change from windows 2000 to windows 2003.  I suggest you get a basic understanding of Active Directory and Group Policy (many good books and classes out there) and all of this will be much easier for you to understand how to configure things.  Group Policy, in both windows 2000 and Windows 2003 will do exactly what you said you wanted it to do in your original question.....if you understand the concepts.


Author Comment

ID: 12476256
So if I didn't understand it how can I accept the answer based on the level of information you gave.  You gave no examples, suggestions or links to any sites that could supply further information.  You simply explained it for someone who already knows how to do it.
LVL 18

Expert Comment

ID: 12476349
Look, I'm not going to argue any further with asked a specific question about AD...I answered it.  The fact that you are trying to use a complex tool like AD without having even a basic understanding of how it works was not something that was immediately obvious from your question.  

If you don't understand something or needed more information, you could have asked for it....instead of abandoning the question.....and it would have been gladly given.....but we are not mind readers.

Here's my last piece of advice for would'nt try to use a complex machine without an understanding of what it does....and how it does it......why would you approach AD any differently.....please educate yourself....then if you need help, at least you will be know what the people who are trying to help you are saying.

ee_ai:  as I said, asked and answered.


Author Comment

ID: 12476745
The question was abonded because the project this involved was binned not because your answer was no understood.  Undoubtably you could have provided an answer had there been more time available, however there wasn't and given that this was not looked into further your answer was not suitable.
No doubt had I know more about AD I would not have need to ask the question.

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Part One of the two-part Q&A series with MalwareTech.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor ( Top Charts is a view in which you can set seve…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question