Isolated Domain GPOs

Applies To: Windows Server 2008, Windows Server 2008 R2

All of the computers in the isolated domain are added to the group CG_DOMISO_IsolatedDomain. You must create multiple GPOs to align with this group, one for each Windows operating system that must have different rules or settings to implement the basic isolated domain functionality that you have in your isolated domain. This group is granted Read and Apply Group Policy permissions on all the GPOs described in this section.

Each GPO has a security group filter that prevents the GPO from applying to members of the group GP_DOMISO_No_IPsec. A WMI filter is attached to each GPO to ensure that the GPO is applied to only the specified version of Windows. Each GPO for versions of Windows other than Windows 2000 Server also has a security group filter that denies Read and Apply Group Policy permission to computers that run Windows 2000 Server. Likewise, the GPO for Windows 2000 Server has a WMI filter that enables the GPO to apply only to computers that are running Windows 2000 Server. For more information, see the Planning GPO Deployment section.

The GPOs created for the Woodgrove Bank isolated domain include the following:

• GPO_DOMISO_IsolatedDomain_Clients_Win7Vista

• GPO_DOMISO_IsolatedDomain_Servers_WS2008

• GPO_DOMISO_IsolatedDomain_Clients_WinXP

• GPO_DOMISO_IsolatedDomain_Servers_WS2003

• GPO_DOMISO_IsolatedDomain_Servers_Win2000