Applying GPO to a Security Group

If I understand GPO is applied at LSDOU level (Local, Site, Domain, OU )
Well, let 's say we have many OUs that have users and groups  inside
I need to deploy software to certain users that are members of the Company Communication Committee. So I will create a security group named CCC
from AD console , then I can choose any OU and create/Link GPO to it , then I will specify the software settings in GPMC for the software.
My question is does it matter to which OU I need t link my GPO, since I will have to do the WMI filtering anyway for CCC Group ?

Or should I create a new OU for instance and name it CCC and put the CCC group in it and apply the GPO then add the CCC group to the WMI filtering of the CCC ?

Any clarification on this ?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

if you have filtering on and exclusively for that target group you can apply the GPO at the top level for example.
It all comes down to preference. If the GPO will only be exclusivley for users in that OU then link it there directly.
If not then apply it on a higher level. You can check its working by looking at group policy inhertiance tab
jskfanAuthor Commented:
If individual users that belong to CCC group are scattered all over different OUs. then why cannot I just create an empty OU and put in it CCC group and apply GPO to the OU and in WMI filtering I will select the CCC group ?

At the domain level, other than password policy, I do not think it is recommended to apply other types of GPOs
You can do that.  It just means if you have other gpo's you will have to reapply them. I apply a number of gpo's at a higher level it's down to personal preference
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

yo_beeDirector of Information TechnologyCommented:
As others stated leverage the scope feature of GPO, but you can use WMI

WMI filtering against security groups, create a new GPO that will apply to an OU that includes all the users. When the user logs in and they are part of the security group the WMI will see this and apply the GPO.

There are plenty of links that will illustrate this if you search the Internet.

Here is MS KB

Or use a similar GPO model, use scope and apply the scope to the security group.

I like the latter of the two, but it is worth trying so you understand the concept.
jskfanAuthor Commented:
What I was trying to understand if users that are members of the CCC group are scattered all over in different OUs in Active Directory.
In this case can I create a new empty OU  regardless where it is located and put in it the CCC group (probably CCC group does not have to be in that OU), then apply the GPO to the new OU, and in the WMI Filtering I will specify the CCC group.

Would this be correct? or the individual user accounts have to be in the OU where the GPO is applied to?
They have to be in the ou. If you place the GPO at a higher level it's will filter down and only  apply to those that you have set
yo_beeDirector of Information TechnologyCommented:
Create the GPO at the domain level and apply it to the security group under the scope option of the GPO.   No need to create a OU for this.  

Since you set the scope to just the security group only members of the group will be able to read the GPO.  This will give you the results that you are looking for.
yo_beeDirector of Information TechnologyCommented:
Here is MS KB for security Filtering

As others stated if you do not block inheritance at the OU level then any GPO applied at a higher level will apply to the OU where the User's are.

Now if you build this GPO and remove the default Authenticated User Group from the SCOPE > Security Filter and add the security group that you want this to apply to and the GPO is inherited by all OU's that the Users reside in then the GPO will apply to those users.  Anyone that is not part of the group will not be able to read the GPO and in turn will not get the settings.

I have attached a screenshot of one of my GPO's that is targeting a certain Security Group.
This GPO is nested a bit lower because all my Users reside below this OU, but if you have an OU structure that is all over the place I would move this to the highest OU level in you structure so you do not miss any User. The arrow illustrates where the GPO should be placed.

Will SzymkowskiSenior Solution ArchitectCommented:
For Active DIrectory Performance it is better to link the GPO to the OU's where the users reside, or the parent OU (if you are using multiple nested OU's.

I would not be applying GPO's like this to the top level, link them to the OU's where the user resides.

jskfanAuthor Commented:
Will Szymkowski

Sometimes Users you need to apply GPO to are not in the same OU, and if you move them around you can create problem

Thank you Guys for your clarification. As long as the OU that the GPO is linked to is a "Root " OU for other OUs underneath, then users  in the latter OUs will have the GPO applied to them.., the WMI filtering will be setup at the Root OU where the GPO is linked to
yo_beeDirector of Information TechnologyCommented:
You do not need to go down the WMI route.
Use the same idea of placing the GPO at the highest level and if the user is not part of the security group then you are adding a 1 sec or so the who logon process

I would recommend the scope tab and just apply security filter to the security group/groups

My screenshot sort of illustrates how to accomplish it.
jskfanAuthor Commented:

I meant you need to remove "Authenticated Users" and replace it with "CCC group"

I agree the GPO should be linked to the Highest OU (Parent), and CCC group des not have to be inside that highest OU
jskfanAuthor Commented:
Security filtering not WMI filtering
yo_beeDirector of Information TechnologyCommented:
Sounds like you have a road map. Hope it works

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jskfanAuthor Commented:
Thank you
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.