IN GPMC there is a box at the bottom for Security Filtering. It says 'the gpo will only apply to the following groups'.
Is this literal? Do you have to specify who the GPO applies to here. What if Group1 & User2 were there. Would the GPO be applied to all Domain Users?
-
Applying GPO
-
By default, a GPO will apply to all users and groups contained within the Organizational Unit that the policy is attached to. In the security filtering section, you can change that behavior to make it only apply to selected users or groups. So, let's say we had a structure like this:
domain.com | +-Users | +-Computers | +-Company | +-Sales | +-Marketing | +-Marketing Employees (Group) +-Marketing Manager (Group) +-Bob Smith (User) +-Tim Johnson (User)Let's say I have a GPO that I want to apply to my Marketing employees, but not the Marketing Manager. I could attach the GPO to the "Marketing" OU, but then it will apply to the employees and the manager. So, I could follow that up by modifying the security filter to list "Marketing Employees" as being able to apply the policy, but not the manager.
That is not always a perfect solution. For example, the manager might be a member of the Marketing Employees group also. In that scenario, you would need to edit the security settings on the policy and explicitly deny the "Apply Group Policy" permission for the manager.
Let me know if you need more clarification and sorry for the terrible folder drawing
Don Pezet
Host, ITProTV -
That makes sense. So to clarify, the GPO gets applied to everyone in the OU, but if you set a security filter then it only applies to the users/groups/computers you specify.
-
That's correct. It is an extra layer of flexibility when applying GPOs. You could even go a step further and add in WMI Filtering which allows you to apply GPOs based on other criteria (available disk space, computer name, OS version, etc). You can get really complex with it if you want, but most people stop with security filtering.
