Re: linking group policy in 2003 server

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Bruce Sanderson (bsanders_at_junk.junk)
Date: 01/08/05 

Date: Fri, 7 Jan 2005 16:04:47 -0800

To clarify some of the other posts, Group Policies do not apply to Groups,
only to user accounts or computer accounts in Organisational Units to which
the GPO is linked to and OUs inside the the one the GPO is linked to (GPO
links are inherited). The only thing you can do with Groups with respect to
Group Policies is to control access to the Group Policy (normal object
security) - you can prevent members of a group from reading or Applying a
Group Policy. So, you can prevent a Group Policy from being applied to
members of a Group, but you can not force a Group Policy to apply to Group
members - only to users or computers in an OU.

There is no way to "link" a Group Policy Object to a Group.

If a GPO is linked to (or inherited by) an OU that does not contain user
accounts or computer accounts, that GPO link will have no affect on
anything. 

-- 
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"Sher" <Sher@discussions.microsoft.com> wrote in message 
news:F3E5E6FE-BE2E-4A7B-90B9-E1DDA73483CF@microsoft.com...
> Hi all,
> I just started using the 2003 gp.  My question is:
> I have master group policy that affects all users which has a screensaver
> enabled.
> I created a second group policy for users who I want to disable the
> screensaver.
> When you are linking policies to a user group which policy is read last 
> and
> is it the settings used?
> Example of link:
> 1.master policy with screensaver
> 2.policy disabling screensaver
> should the order of the link be as above and will the group assigned to 
> the
> disabled policy override the master policy? (or does enabling override
> disabling?)
>

Relevant Pages

  • Re: Authenticated Users vs. Individual Users - Scope problem
    ... In order to be able to apply a policy, two things need to be given: ... In order to apply a computer configuration policy, the computer objects need to have "Read" and "Apply Group Policy" permissions on the GPO just like users would need those permissions on "user configuration" GPOs. ... The whole things worked with "Authenticated Users" because the "Domain Computers" group with all those computer accounts is member of "Authenticated Users". ...
    (microsoft.public.windows.group_policy)
  • Remove Add or Remove Programs GPO Question
    ... Programs" GPO but with the following stipulations: ... I have created an OU with the desktop computer accounts and an OU with the ... Authenticated Users - Allow Apply Group Policy ...
    (microsoft.public.windows.server.active_directory)
  • RE: Restricted Group Problem My Scenario and problem..what am i do
    ... Read and Apply Group Policy Permissions. ... Normally, the computer accounts ... Open up a GPO ... this group, I add Domain admins, another domain group, and then i choose ...
    (microsoft.public.windows.server.active_directory)
  • Re: group policy doesnt apply
    ... Group policies do not apply to ... They apply only to user and computer accounts. ... a group policy was link to OU A, defines proxy settings for group A (to ... port 8080) ...
    (microsoft.public.windows.server.active_directory)
  • Re: Group policy and deploying apps
    ... How do I filter the scope of a Group Policy object? ... > computer account in there and leave the computer accounts in separate ...
    (microsoft.public.win2000.active_directory)