I hear it all the time! You can't apply GPO's to groups or users. GPO's are applied to local PC's, sites, domains and OU's (in that order I might add), but not to groups or users. Well my faithful reader, you can apply them to groups and users too, with a little trickery!

In order to follow along I will give you a little background info. I have created a group called Test Group in my AD domain. I have configured a domain level GPO called Test Group that I want to apply to users of the Test Group only. The first thing I want to do is open up the properties of the domain and select the Group Policy tab. From this tab select the Group Policy Object and press the Properties button. This will bring up another box with a new set of tabs, select the Security tab.

Now here is where we can configure the GPO to only apply to a group (or a user). You will see a set of groups listed, take note of the Authenticated Users group. This group includes everyone who has successfully logged into the domain. You will see that this group has Read and Apply Group Policy permissions. This will allow any authenticated user that belongs to the OU to read the GPO settings, and apply them to the user and/or computer. To apply our GPO to a specific group we first must uncheck the Apply Group Policy box for Authenticated Users. Do not check Deny! As we already know, Windows applies the most restrictive of the combined security settings. If you click Deny, it will deny the application of the policy to everyone. Now Authenticated Users will still be able to read the GPO settings but they will not get applied.

The next step is to press the Add button and add the group or user we wish to apply the GPO too. I have added the Test Group to the security permissions and given them Read and Apply Group Policy permissions.

That is it! The GPO in this domain will only be applied to users who are members of the Test Group. Pretty cool huh?

For more information see:

Windows 2003 Resource Kit