We are running Windows 2003 Active Directory. We have a Users OU which has a GPO named "UsersGPO" applied. This GPO sets many settings including desktop wallpaper, IE home page, what they can see in the Control Panel etc etc. The GPO is applied as:
Security Filtering: Authenticated Users
Delegation: Domain Admins, IT staff are denied from GPO application
We have a couple of developers in our company, and they want to test something related to the company Intranet. So, they want NO IE home page set, but they do want all the other settings.
I was just thinking of the best way to do this. My thoughts were:
i) Copy the UsersGPO and create a new one, DevelopersGPO, that had the same settings bar the IE home page.
ii) In Filtering, set to the Developers AD security group only.
I'm not sure what to set in Delegation though? Will the fact that the GPO has Filtering for Developers AD group only mean that it won't be applied to other users/domain admins etc? Or should I add them in there, with a Deny, to be sure? How about Denying them from even reading it?
iv) In the Users OU, the UsersGPO has link order 3. Would I be correct in saying that as long as this GPO was link order less than that (e.g. 2), the IE setting would not be set for these developers?
Any help appreciated!