Filtering the Scope of a Group Policy Object

You can refine which groups of computers and users a particular Group Policy object influences by using Windows 2000 security groups. To do this, use the Security tab on the Properties page of the Group Policy object.

Filtering affects the Group Policy object as a whole. That is, you cannot use security groups to apply (or prevent from applying) only some of the settings in a Group Policy object. However, this is not true in the cases of Folder Redirection and Software Installation, which have further ACLs set at the Group Policy object level to further refine behavior based on security group membership.

Setting Security Permissions for Receiving Group Policy

A discretionary access control list (DACL) is a list of permissions (such as Read, Apply Group Policy, and Full Control) on a Group Policy object or other object. You use the DACL on a Group Policy object to allow or deny access to the Group Policy object by users and computers according to their membership in security groups.

To use the Security tab on the Properties page for a Group Policy object, right-click the root node of the Group Policy snap-in, click Properties , and then click Security .

An alternative is to open the Properties page of a given site, domain, or organizational unit, then select the Group Policy tab, right-click a Group Policy object in the Group Policy object list, select Properties , and then click the Security tab. Group Policy objects that you can access this way are linked to the site, domain, or organizational unit.

You can specify which groups of users and computers have Apply Group Policy access control entries (ACEs) set to enable access to the Group Policy object. ACEs are permission entries within a discretionary access control list (DACL). Groups that have Apply Group Policy and Read access to the Group Policy object receive the configured Group Policy settings contained in it if they are subject to the Group Policy object through Active Directory. By default, authenticated users have both Apply Group Policy and Read permissions, but not Write or Full Control. This means that by default, users cannot modify the information in the Group Policy object. By default, domain administrators, enterprise administrators, and the local system have Full Control, without Apply Group Policy. By default, administrators are also authenticated users, which means that they also have the Apply Group Policy attribute set. For more information, see "Editing Group Policy Objects" later in this chapter.

note-iconNote

It is recommended that you remove Read permission from groups whose members don't need to receive policy and contain users who are not administrators because this data can be viewed by any users with Read permission. Group Policy processes faster if both the Read and Apply Group Policy settings are disabled when the Apply Group Policy setting is not needed. In addition, Group Policy fails if a user has Read access to more than 1,000 Group Policy objects stored in one domain. For more information about Group Policy failing when more than 1,000 Group Policy objects are present, see "Troubleshooting Change and Configuration Management" in this book.

Network administrators (members of the Enterprise Administrators or Domain Administrators group) can also use the Security tab on the Group Policy object Properties page to determine which administrator groups can modify policy settings in Group Policy objects. To do this, the network administrator can define groups of administrators (for example, marketing administrators), and then provide them with Read/write access to selected Group Policy objects. This allows the network administrator to delegate control of Group Policy objects.

Having full control of a Group Policy object does not enable you to link it to a site, domain, or organizational unit. However, you can grant that ability using the Delegation of Control Wizard.