Kiosk,
Absolutely, to your first question. Absolutely not, to your second
question.
The key here is to use Security Group filtering. The security group, by
default, that is given both the READ and APPLY GROUP POLICIES is the
Authenticated Users group. This Group does not discriminate!
So, what you would do is one of two things: add the Domain Admins group ( or
whatever group you wanted ) to the security tab of this GPO and give it the
explicit DENY to the APPLY GROUP POLICY right -OR- create a security group
that is populated with the user account objects that you need, add this
security group to the security tab of the GPO, make sure to give this group
the READ and APPLY GROUP POLICY rights and then remove the Authenticated
Users.
HTH,
Cary
