Best Practice: How to apply a Group Policy Object to individual users or computer
Last week I showed you how to exclude an individual users from having a Group Policy Object (GPO) applied and this time I will show you how to properly apply a GPO to an individual user or computer. As I previously mentioned it is always best to use a security groups with GPO filtering even if you are only going applying it to a single user or computer. This avoids ever have to go back and modify the GPO security filtering if you need to add more object to the policy in the future.
Note: Before I start I should point out a common mistake here is to remove “Authenticated Users” directory from the Security Filtering section on the Group Policy Object.
DONT DO THIS!!!
You should never do this as this however as this can cause “Inaccessible” (see image below) error messages on Group Policy Objects in the Group Policy Management Console for anyone who is not an Domain Administrator. This happens because you have removed the ability to for the user to read contents GPO but don’t worry this does not mean the policy will be applied to that user.
Step 1. Select the Group Policy Object in the Group Policy Management Console (GPMC) and the click on the “Delegation” tab and then click on the “Advanced” button.
Step 2. Select the “Authenticated Users” security group and then scroll down to the “Apply Group Policy” permission and un-tick the “Allow” security setting.
Note: That the “Allow” permission for “Read” still needs to remain ticked as this prevents the Inaccessible message as mentioned above.
Step 3. Now click on the “Add” button and select the group (recommended) that you want to have this policy apply. Then select the group (e.g. “Accounting Users”) and scroll the permission list down to the “Apply group policy” option and then tick the “Allow” permission.
This Group Policy will now only apply to users or computers that are a member of the Accounting Users security group. However you still need to remember that the user and/or computer still needs to located under the scope of the Group Policy Object for this policy to be applied.
If you like this article then please share it below:
How to apply a Group Policy Object to individual users or computer http://bit.ly/cDql7w
RT @alanburchill How to apply a Group Policy Object to individual users or computer http://bit.ly/cDql7w – Don't remove Authenticated Users
[...] This post was mentioned on Twitter by Alan Burchill, William Lauvenberg. William Lauvenberg said: RT @alanburchill How to apply a Group Policy Object to individual users or computer http://bit.ly/cDql7w – Don't remove Authenticated Users [...]
[WORDPRESS HASHCASH] The comment’s server IP (74.112.128.30) doesn’t match the comment’s URL host IP (74.112.128.10) and so is spam.
[...] GPO” error when any non domain admin tries to look a the GPO’s via GPMC. See my previous post How to apply a Group Policy Object to individual users or computer for detail instructions on how to do this [...]
Best Practice: How to apply a Group Policy Object to individual users or computer: http://t.co/YLW2IPlT
Awesome!! best site ever in the subject.
Desktop Mangement & Consultant
@MarkjHurley Here's more info on your query on group poicy: http://t.co/5HWBw2p3 Hope this helps. ^Jess