[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


Linking a group policy to the domain

Posted on 2008-10-03
Medium Priority
Last Modified: 2010-04-21
Hello Everyone,
I want to make sure I am doing this correctly.  I created 2 group policies GP-A and GP-b
GP-A - Computer configuration - using restricted groups to only have local administrator and domain admins in the local admin group.  I have the securitly filtering on a group

GP-B User configuration - preventing most popular instant messengers from running.  I have the security filtering on this group as well.

It is my understanding that if I link both of these group policies to the domain and use the security filtering for the groups I want, then everyone who is not in those groups will not be affected...Is that correct?



Question by:bjennings
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
LVL 18

Expert Comment

ID: 22635452
yes..you are right

Expert Comment

ID: 22635466
Yes, you're right...
If your GPO applies to a machine, then the security filetring will mach it to a machine account or group. If the GPO applies to a user, then it will apply it to a user account or group.
Now, I'm assuming you're removing the default "Authenticated users" and placing there only the group(s) or user(s) that are meant to receive this policies, right?
LVL 58

Accepted Solution

tigermatt earned 1400 total points
ID: 22636348
You are correct. Applying the policy at the domain level means that it will apply to every applicable object in the entire Active Directory domain. So, if you set a setting under "Computer Configuration", this will apply to every Computer object, and likewise for a setting under "User Configuration".

By then utilising Security Filtering, you will then block the policy so it only applies to objects in particular security groups.

Remember that for efficiency purposes it is a good idea not to link policies at the domain-level, since this will slow down computer startup and processing of Group Policy. If you can, try to link the policies to appropriate OUs (one GPO object can be linked to more than one OU) so you don't have as many PCs and users trying to apply a policy when it is not applied to them.


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.


Author Comment

ID: 22636925
Thank you so much!!!  One follow up question...If I create an OU for the group policy does the security group I want the gp effect also need to be in that OU or can that stay in the default users OU?

Expert Comment

ID: 22637085
Your affected users need to be there, so you can either move the users to the new OU or you can create OU under the users' tree.
You can create also OUs under OUs, so you can manually filter the GPOs down. Remember, the sub OU members will get the GPO from the parents unless you 'Block inheritance' in the OU. An alternative is the Security Filtering here too.
LVL 58

Expert Comment

ID: 22640171
The Security Group can be located in any OU in the domain. It doesn't matter where the group is situated, it is more important that it contains the correct users for whom the GPO should apply.

Once you apply it over a container containing user objects, remember it will apply to every user object there. Then, when you use Security Filtering, this will restrict the GPO from applying, so it will only apply to users who are a member of the specified group(s).


Author Closing Comment

ID: 31502809
Thanks for your help!

Author Comment

ID: 22690498
Thank you everyone for your suggestions!

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question