Administrators
create group policies to limit users from performing certain tasks or
to automatically set up specific functionality. For example, a group
policy can be established to display a legal disclosure to all users who
attempt to log on to a system, or it can be set up to limit access to
the command prompt. Group policies can be set on AD DS sites, domains,
and OUs but can also be configured to apply specifically to groups. This
functionality increases the domain designer’s flexibility to apply
group policies.
As previously mentioned in this article , creating additional OUs simply to apply multiple group
policies is not an efficient use of OU structure and can lead to overuse
of OUs in general. Rather, you can achieve a more straightforward
approach to group policies by applying them directly to groups of users.
The following procedure illustrates how you can apply a specific group
policy at the domain level but enact it only on a specific group:
1. | Open the Group Policy Management Console (Start, All Programs, Administrative Tools, Group Policy Management).
|
2. | Navigate to the OU where the group policy is linked, then select the group policy that you want to apply to a group.
|
3. | In
the Details pane, under Security Filtering, select the Authenticated
Users group, click Remove, and then click OK to acknowledge removal.
|
4. | In the Details pane, under Security Filtering, click the Add button to select a group to which you want to apply the policy.
|
5. | Type the name of the group into the text box, and click OK.
|
6. | The Security Filtering settings should display the group, as shown in Figure 1. Repeat steps 4-5 to apply the policy to additional groups.
|
This concept of applying a
specific group policy at the domain level but enacting it for a specific
group can reduce the number of unnecessary OUs in an environment and
help simplify administration. In addition, Group Policy enforcement
becomes easier to troubleshoot as complex OU structures need not be
scrutinized.