Pat,
Steve is absolutely correct. Here is a little bit more
detail:
You can apply Group Policy at four levels: local, Site,
Domain and OU ( then sub-OU, sub-sub-OU, etc. ). In
addition, the order in which I listed the four is
the "pecking order". Meaning, if there is a Policy set at
the Domain level and it conflicts with a Policy set at the
OU level the OU level wins.
Let's take a look at the OU level since this is where most
of the work will be done!
You need to put the objects that you want affected by the
policy in the OU. By objects I mean user accounts and
computer accounts. PERIOD!
Now, when applying the Policy you can use Security Groups
to filter who is truly affected. You see, by default, the
group "Authenticated Users" is given Read and Apply Policy
permissions. Authenticated Users entails exactly that:
all authenticated users ( yep! even the Administrator
account ). You can simply remove that group and "replace"
it with any security group or user that you choose (
remember, though, that it is generally much better do use
groups ). So, instead of having "Authenticated Users" you
could, for example, have "No Internet Access" group.
Also, remember that there are two Default Policies: the
Default Domain Controllers Policy and the Default Domain
Policy. It is generally a really good idea to stay away
from those two policies. Anytime you wnat to do something
simply create a new one. You can, over time, "combine"
several policies into one.
Also, remember, if you are going to install software via
GPO that you can ASSIGN software to both the user
configuration as well as computer configuration but that
you can only PUBLISH software to the user configuration.
Also, do not forget about the ADVANCED option ( which is
useful if you ever want to use .mst files ).
I hope that this clarifies things for you.
Cary