Network Administration: Filtering Group Policy Objects

One of the more confusing aspects of group policy is that even though it applies to users and computers, you don’t associate group policy objects with users or computers. Instead, you link them to sites, domains, or organizational units (OUs).

At first glance, this might seem to limit the usefulness of group policy. For most simple networks, you’ll work with group policy mostly at the domain level, and occasionally at the OU level. Site-level group policy objects are used only for very large or complex networks.

Group policy wouldn’t be very useful if you had to assign the exact same policy to every user or computer within a domain. And although OUs can help break down group policy assignments, even that is limiting because a particular user or computer can be a member of only one OU. Fortunately, group policy objects can have filters that further refine which users or computers the policy applies to.

Although you can filter policy objects so they apply only to individual users or computers, you’re more likely to use groups to apply your group policy objects.

For example, suppose you want to use group policy to set the home page for your marketing staff to www.dummies.com, but you want the accounting staff to go to www.beancounters.com by default. You can easily accomplish this by creating a Marketing group and an Accounting group in Active Directory Users and Computers and assigning the marketing and accounting users to the appropriate groups.

Then, you can create two group policy objects: one for the marketing department’s home page, the other to assign the accounting department’s home page. You can then link both of these policy objects to the domain and use filters to specify which group each policy applies to.

For the following procedure, two group policies were created, named IE Home Page Dummies and IE Home Page Beancounter, as well as two Active Directory groups, named Marketing and Accounting. Here are the steps for filtering these policies to link correctly to the groups:

  1. Choose Start→Administrative Tools→Group Policy Management.

    The Group Policy Management console appears.

  2. In the Navigation pane, navigate to the group policy object you want to apply the filter to.

    The IE Home Page Dummies policy is shown.

    image0.jpg

  3. In the Security Filtering section, click Authenticated Users, and then click Remove.

    This removes Authenticated Users, so the policy will not be applied to all users.

  4. Click Add.

    This brings up the Select User, Computer, or Group dialog box.

    image1.jpg

  5. Type Marketing in the text box and then click OK.

    The policy is updated to indicate that it applies to members of the Marketing group.

    image2.jpg

  6. Repeat Steps 2 through 5 for the IE Home Page Beancounter policy, applying it to the Accounting group.

    You’re done!