Apply GPO to a Security Group in Windows 2003

I made a script to transfer some files to the local user's disk at logon, placed it in NETLOGON,
Created a TEST OU, and a user testusr. Linked the OU to the GPO, Placed testusr into the OU and it worked fine.
Since my goal is to include selected users from different OU's in the GPO enforcing, i created a security group testgrp, made testusr a member of this group, moved testgrp into TEST (the OU), and gave it Read & Apply GPO permissions, and then moved testusr back to the users folder (no OU), so that the GPO would be enforced at logon of any member of testgrp. After waiting for gpupdate for several hours, it still doesn't work.
Since it worked fine for an individual user, obviously the problem lies in the assigning the GPO to testgrp. Did i miss any step ??
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

in group policy edito select the gpo object and then go to delegate add the security group to that
also under scope you want to add the group to that
Despite the name, Group Policy does not apply directly to security groups.  Placing a security group in an OU has no effect on the members of the group.

To accomplish what you want you could instead apply the GPO at the domain level, then go to the GPO's Delegation tab, add Read permission for the desired security group, and remove access from Authenticated Users and any other groups for which you do not want the policy to apply.  This way the policy will apply to all users but only the ones in the specified group will have permission to run it.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Correction: as Network_Data_Support said, the permissions should be added under Security Filtering on the Scope tab, not on the Delegation tab.
i said as you said at first and the realized
Brian PiercePhotographerCommented:
To clarify:
Group policies are NOT applied to groups - they are applied to OUs.

The COMPUTER setiings are applied based on the OU that the computer account is in.

The USER settings are applied based on the OU that the user account is in.

The OU that any group that the user or computer is a member of has no effect.

You can use filtering - but use it with reserve - it can get messy see

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jsonnenvzlaAuthor Commented:
thanks friends for your prompt replies.
I Created a domain level GPO, added the security group, checked the delegation settings, but nothing happened. Pls tell me:
1.- how long do i have to wait after modifying a GPO?
2.- would gpupdate /force really update inmediately ?
3.- if I modify the script do i have to re-add it to the gpo ?
4.- is it correct to store the script in the netlogon share ?
5.- when i add the script to the gpo there's a button "show files", it shows a path inside netlogon,  related to an object, but it shows nothing there
6.- Having the GPO linked at domain level means the scope includes the security group no matter the OU where it's located ?
7.- What's the meaning of the GPO setting "Enforced" ? I'm leaving it set at "NO"

1.) gpupdate /force on a client will push it straight away. otherwise standard update time is 90 mins from memory
2) see 1
3) no its all integrated
4) yes, means it will replicate
5) not sure what you mean exactly
6) yes, thats correct
7) by default it will apply whether or not thats ticked.

Filtering is perfectly fine to use, its the cleanest, simplest and most efficient way of doing it as well as being the reccomended way by ms so dont worry about not using it!
have you added the group to security filtering under scope options of the GPO? you will need to do this for it to apply to the group.

delegating just give users rights to modify the GPO
7. "Enforced" is the setting which was formerly known as "No Override".  It prevents settings in the GPO from being overwritten by those in other GPOs.  It also trumps "Block Inheritance".

It's best not to use it unless you have to.
jsonnenvzlaAuthor Commented:
OK, i finally made it. The tricky part is that i'm implementing a logon script. The GPO was being executed according to your instructions, but the system could not find the script file per se.
The only way to make it work was to drag the .cmd file into the policies's script folder. When you are adding the logon script to the policy, there's a button "Show Files", which shows which scripts are associated with the GPO. There's to ways to put the script there, either copying the object ID of the policy to locate the folder via explorer (ugly), or dragging the file into this "Show Files" window and then selecting it. After dragging, the script name stays without a path, but having the script dragged to this container, makes it available for the GPO. giving it a path from outside this container didn't work. I solved my problem, but would like to hear some other peoples experiences, since im not sure it's the correct way to do this

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.