Using Security Filtering to Apply GPOs to Selected Groups

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

By default, a GPO affects all users and computers contained in the linked site, domain, or OU. However, you can use Security Filtering on a GPO to modify its effect to apply only to a specific user or the members of a security group by modifying the permissions on the GPO. By combining Security Filtering with appropriate placement in OUs, you can target any given set of users.

In order for a GPO to apply to a given user or computer, that user or computer must have both Read and Apply Group Policy permissions on the GPO. By default, Authenticated Users have both Apply Group Policy and Read permissions set to Allow. Both of these permissions are managed together as a single unit by using Security Filtering in GPMC.

To set the permissions for a given GPO, in the GPMC console tree, expand Group Policy Objects in the forest and domain containing that GPO. Click the GPO, and in the details pane, on the Scope tab, under Security Filtering, remove Authenticated Users, and then click Add to add a new group.

To filter a GPO by a particular security group, add that group to the Security Filtering section on the Scope tab of a GPO in GPMC.

For example, if you want only a subset of users within an OU to receive a GPO, remove the Authenticated Users from Security Filtering. Instead, add a new group with Security Filtering permissions that contains the subset of users who are to receive the GPO. Only members of this group that are within the site, domain, or OU where the GPO is linked receive the GPO; members of the group in other sites, domains, or OUs do not receive the GPO.

You might want to prevent certain Group Policy settings from applying to the Administrator group. To accomplish this, you can do one of the following:

  • Create a separate OU for administrators and keep this OU out of the hierarchy to which you apply most of your management. In this way administrators do not receive most of the settings that that you provide for managed users. If this separate OU is a direct child of the domain, the only possible settings administrators receive are settings from GPOs linked either to the domain or the site. Typically, only generic, broadly applicable settings are linked here, so it might be acceptable to have administrators receive these settings. If this is not what you intend, you can set the Block Inheritance option on the administrators’ OU.

  • Have administrators use separate administrative accounts for use only when they perform administrative tasks. When not performing administrative tasks, they would still be managed.

  • Use Security Filtering in GPMC so that only non-administrators will receive the settings.