In a GPO on Server 2008, there's a scope\Security Filtering list and the Delegation tab. Scope is where you say who the GPO applies to and in Delegation you can set who to NOT apply the GPO.
I have an OU with a bunch of PCs and an OU with a bunch of users.
I want to create a GPO that says If you are user1 AND you are logging into pc1, then the following GPO applies.
It seems as though scope says If you are either a user, PC in the list (or a member of a group that's in the list), then the GPO applies, rather than making both a requirement. I'd prefer not to use WMI filtering and I'd prefer not to have to add new PCs and Users to a group just to make sure they don't get a GPO applied. Instead I'd much prefer to have group(s) that I can add users or PCs to that basically says "if you're a member of this group and the pc you're logging into is a member of this other group, then this GPO applies."