Tuesday, September 1, 2009

how to apply group policy only to specific computers in domain

I have been searching a lot for this and there was no clear answer anywhere, most links inspired some thought and helped me test out but nothing was really specific enough so I hope this will help.

In order to apply gpo to specific computers with the same users there must be two main steps done:
1. Create an Organizational Unit for the specific computers AND
2. Create a Global Security Group for the computers

Example:
OU named "pcOU1" will contain "pc01" computer object and group named "pcSecurityGroup1" inside the OU ("pcOU1") will contain "pc01" as a member (enable computers under object type when adding the members).

Assuming this is done correctly, now set up the group policy from the group policy management (free to download and install with windows server 2003). Create the GPO inside the OU ("pcSecurityGroup1" in this example) and add the security group containing the specific computers you want affected by the policy ("pcSecurityGroup1" in the example) to the security filtering section in group policy managment.

Now modify the policy how ever you need and set the GPO to enforcing if there are other GPOs affecting the same user(s) on the rest of the computers or others for that matter.

Hope that is clear enough, leave a comment if this was helpful or clarification needed or any other comments.