HOW TO: Filter Group Policy

This article explains how to apply a Group Policy Object (GPO) to a security group through the process known as filtering.

A Group Policy Object (GPO) is applied to Local Computer (via Local Policy), Site, Domain and OU in that order. When a GPO is applied to these containers it can apply settings specific to the computer (computer configuration) and settings specific to the user (user configuration). If you link a GPO that contains user configuration only to an OU with computers and users in, only the user policy is applied to the user accounts that reside in that OU. You cannot link policies to groups.

However, you can ‘filter' your GPOs so that they only get applied to certain users and/ or groups. This process is called GPO filtering, and is achieved by modifying the default permissions of a GPO object; that is, the GPOs DACL is modified so that only certain users and/ or groups have the necessary rights to apply this policy.

To filter a GPO by a group instead of linking that GPO to a site, domain or OU, create your GPO and link it to the domain. Access the GPOs properties by right-clicking on the domain, choosing Properties, selecting the Group Policy tab, selecting the GPO that you wish to filter and choosing Properties.

In the resultant < gpo name="" > Properties dialog, select the Security tab, and de-select the Apply Group Policy and Read permission from the Authenticated Users group. Add the group that you wish to apply the GPO to by clicking Add... and then entering the group name into the Select Users, Computers, or Groups dialog, clicking Check Names and then OK. Now grant the group that you added Read and Apply Group Policy permissions and choose OK (figure 1).

Figure 1

HOW-TO: Filter Group Policy


Note. For the purpose of this example, a user account was used not a group. However, generally you will only apply by a security group.

Considerations

Policy is applied to either computers (computer settings) or users (user settings). When filtering by a security group you are filtering what principals can actually apply the policy. If you only allow a computer, or group of computers, the apply policy permission then no user settings are going to get applied (unless you have enabled loopback processing). The same is obviously true for user settings - if only a user or group of users can apply a GPO then the computer settings are not going to be processed. Security settings such as Computer Configuration account policies can not be filtered, or more specifically, you cannot filter an account policy to some computers and not others (you can, but the results will be a little different to what you expect). For instance, if you setup a password policy and then filter certain machines with a different policy what you are doing is applying that password policy to the local machine. What that means is that local users will receive that policy; domain users won't. Password policy and other security settings are only applied at the domain level because the Domain Controllers process account settings differently to other policy elements. It is the DCs that do the authenticating not the local machines (with domain users).

Note. For more information on how the domain controllers process account policies, please refer to the msresource.net article "Domain Security Policy Application":

-- http://www.msresource.net/content/view/36/46/

Denying a group

You can also exclude (deny) specific groups from applying policy. This is achieved by assigning the user or group the Deny permissions: Apply Group Policy and Read, instead of Allow. This will override the Authenticated Users Apply Policy permission as a Deny takes precedence over any other permission.

Summary


Group policies can be filtered via group membership (security permissions). There are two main choices:
  • Exclude specific users by denying a security group apply (and read) permissions (and adding users and computers that you wish to exclude into this group).
  • Apply policy to groups of users by removing the permissions of Authenticated Users and granting a security group apply and read permissions (and adding users and computers that you want within scope into this group).
Exclusion filtering can be achieved by just denying apply policy permission for a security group, however it is more efficient to also deny read permissions too. If you only deny apply policy permissions the policy is still read (processed) but the settings are not applied. Removing the read permission as well as apply policy permission results in the GPO being completely excluded, resulting a more efficient logon experience.

Document information

Author: Paul Williams
Version: 2.0
Written: 24-06-2004
Last updated: 31-07-2007
Last updated by: Paul Williams



Del.icio.us!Technorati!StumbleUpon!Furl!