none
Applying Group Policy to a Machine

    Question

  • From what I understand, adding a computer to a Global Group that is being filtered in a GPO does not work. The only way to apply a group policy to a machine is by having the machine reside in the same OU that the GPO resides. Can someone confirm this. And if this is the case, is there an alternative? Moving computer accounts to another OU just to receive a specific GPO is not an option for me. Thanks in advance for your help! Mike
    Thursday, February 17, 2011 8:42 PM

All replies

  • GPOs cannot apply policy to groups, only user and computer objects.  So, yes, you must have the computer account in an OU or sub-OU where a GPO is linked.  Security filtering is used when you do not want all of hte objects in the target OU to process the GPO.


    Visit: anITKB.com, an IT Knowledge Base.
    Thursday, February 17, 2011 9:04 PM
  • "adding a computer to a Global Group that is being filtered in a GPO does not work."
         This is not accurate.  You can create a security group and add the computer account to the security group, then set security on the GPO to either Allow the Group Policy to apply to the members of the global group, or deny apply of the policy to members of the global group, etc.

    "The only way to apply a group policy to a machine is by having the machine reside in the same OU that the GPO resides"
         This is partially accurate.  The machine (computer object) must be within scope of the group policy.  If the GPO is Linked at the Domain level, all OUs and objects in the domain are subject to the group policy.  If the following domain structure exists.

    domain
        |
        ---OU 1
        |    |
        |    ----OU 2
        |
        ---OU 3
             |
             ----OU 4

    If the GPO is linked to OU 1, the GPO will apply to all affected object in OU 1 and below.  So objects in OU 2 will also get the GPO settings, but objects in OU 3 and OU 4 will not get the settings, even if the security settings say they do, because they are not in scope.

    The way to do what you are asking is find the closest OU that contains all the object you want to affect, and then filter based on security.  For instance.  If OU 2 has 10 machines, and you want to only apply the GPO to 5 of them, You would link the GPO to OU 2, and then modify the security of the GPO so that "Authenticated Users" is not give the "Apply Policy" right (This is the Default), and the "My GPO Machines" group containing your 5 machines is give the "Read" and "Apply Policy" rights.  So all 10 machines in OU 2 will be in scope of the GPO, but the security filter based on the group membership will only let the policy apply to 5 of them.

    Likewise, if you have machines in OU 2 and in OU 4 that you want to get the policy, but don't want machines in OU 1 or OU 3, you can link the GPO at the domain level, putting all OUs in scope, then create your secuirty group with the machines of OU 2 and OU 4 as members, and apply to the GPO with "Read" and "Apply Policy" rights, and remove "Apply Policy" right from "Authenticated Users".  The effect will be that the machines in OU 1 and OU 3 will see the policy but will not apply it based on the security filter, however, machine in OU 2 and OU 4 are in scope and are allowed to apply the policy based on the security filter.

    As an additional note, you can also apply GPOs based on site, but it does not sound like this was the base of your question.

    Hope this helps

    Thursday, February 17, 2011 9:04 PM
  • Hello,

     

    Based on my research, please view the Tech article below:

    Filter the scope of Group Policy according to security group membership
    http://technet.microsoft.com/en-us/library/cc786636(WS.10).aspx


    Hope all the information will be helpful.

     

    Best regards,

    Tom Zhang


    Tom Zhang – MSFT
    Friday, February 18, 2011 9:19 AM
    Moderator