GPO applying to only users

[Tony]

How do I make a GPO to apply to only certain users or groups? I currently
have OUs setup and I put computers in there.
So users have to log in to their own computer to get the GPO. I want the GPO
to be based on groups.

 

[Guest]

Tony,

To do this you need to modify the ACL of the GPO itself... go to the OU and
select Group Policy, then click the Properties button and select the security
tab. That is where the ACL list for the GPO is. One of the default
permissions is for Authenticated Users to have read and apply; remove that
and add your group that you want and give them read and apply. Remember
though that the user must be in the OU where the GPO resides for this to work
otherwise you will need to enable loopback policy processing in the GPO.

Mike.

 

[Tony]

Users are in a totally different OU. So by enabling loopback, If user logs
in from any computer whether it is in or not in the OU will get the GPO?

 

[Cary Shultz [A.D. MVP]]

Yes,

Loopback changes the way that GPOs are processed.

Normally when the computer boots up it will process any GPOs that are linked
to the OU ( well, we could also say container but let's just focus on the
OUs for now ) in which the computer account object directly resides. You
are then prompted for a user name and password and domain. So, you supply
your user name and password. At that moment all of the GPOs that are linked
to the OU in which your user account object directly resides are processed.
This is all assuming the default behavior ( with the Authenticated Users
group remaining in use ). And the key is that when the computer boots up
only settings that are configured in the Computer Configuration area are
applied and when the user logs on only the settings that are configured in
the User Configuration area are applied.

Now, what Loopback does - and know that there are two types: Merge and
Replace - is changes this processing.

HTH,

Cary