Security filtering using GPMC
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Security filtering is a way of refining which users and computers will receive and apply the settings in a Group Policy object (GPO). Using security filtering, you can specify that only certain security principals within a container where the GPO is linked apply the GPO. Security group filtering determines whether the GPO as a whole applies to groups, users, or computers; it cannot be used selectively on different settings within a GPO.
In order for the GPO to apply to a given user or computer, that user or computer must have both Read and Apply Group Policy (AGP) permissions on the GPO, either explicitly, or effectively though group membership.
By default, all GPOs have Read and AGP both Allowed for the Authenticated Users group. The Authenticated Users group includes both users and computers. This is how all authenticated users receive the settings of a new GPO when it is applied to an organizational unit, domain or site. However, you can change these permissions to limit the scope to a specific set of users, groups, or computers within the organizational unit, domain, or site.
Group Policy Management manages these permissions as a single unit, and displays the security filtering for the GPO on the GPO Scope tab. Using Group Policy Management Console (GPMC), you can add and remove groups, users, and computers to be used as security filters for each GPO. In addition, security principals used for security filtering also appear on Delegation tab for a GPO as having Read (from Security Filtering), since they have read access to the GPO.
To modify security filtering, you add or remove groups in the Security Filtering section on the Scope tab of a GPO. In practice, you don't have to set the two access control entries (ACEs), because GPMC sets both for you when you set security filtering. For the step-by-step procedure, see Filter using security groups.
In addition, The Read and AGP permissions are visible separately, and able to be set independently of one another, through the access control list (ACL) editor. In GPMC, the Security Filtering section of the Scope tab of a GPO shows only whether the GPO will apply. If you want to see the permissions separately, you can open the ACL editor by clicking the Advanced button on the Delegation tab for the GPO.
GPOs cannot be linked directly to users, computers, or security groups. They can only be linked to sites, domains and organizational units. However, by using security filtering, you can narrow the scope of a GPO so that it applies only to a single group, user, or computer.
Granting Read and AGP is not sufficient to ensure that the GPO is processed for a user or computer. The GPO also has to be linked to a site, domain or organizational unit containing the user or computer, directly or through inheritance.
A GPO with security filtering set to Read and AGP doesn't necessarily apply to all security principals that have security filtering. It only applies to them if those user or computer objects are in the container or child container that is linked to the GPO.
The location of a security group in Active Directory is irrelevant to security group filtering and, more generally, irrelevant to Group Policy processing.