Filter the scope of Group Policy according to security group membership
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
To filter the scope of Group Policy according to security group membership
Open the Group Policy object whose scope you want to filter.
In the console tree, right-click the icon or name of the Group Policy object, and then click Properties.
Click the Security tab, and then click the security group through which you want to filter this Group Policy object. If you want to change the list of security groups through which to filter this Group Policy object, use the Add and Remove buttons to add or remove security groups.
In the Permissions box for the selected security group, select or clear the appropriate check boxes to set permissions as shown in the following table, and then click OK.
Your intention Permissions Result
Members of this security group have this Group Policy object applied to them.
Set Apply Group Policy to Allow.
Set Read to Allow.
This Group Policy object applies to members of this security group, unless they are members of at least one other security group that has Apply Group Policy set to Deny, or Read set to Deny, or both.
Members of this security group are exempt from this Group Policy object.
Set Apply Group Policy to Deny.
Set Read to Deny.
This Group Policy object never applies to members of this security group, regardless of the permissions these members have in other security groups.
Membership in this security group is irrelevant to whether the Group Policy object should be applied.
Set Apply Group Policy to neither Allow nor Deny.
Set Read to neither Allow nor Deny.
This Group Policy object applies to members of this security group if and only if they have both Apply Group Policy and Read set to Allow as members of at least one other security group. They also must not have Apply Group Policy or Read set to Deny as members of any other security group.
To complete this procedure, you must be logged on as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group.
To open Group Policy Object Editor, see Related Topics.
Group Policy objects are applied only to sites, domains, and organizational units. Group Policy settings affect only the users and computers that they contain. In particular, Group Policy objects are not linked to security groups.
The location of a security group in Active Directory has no relation to, and no effect on, filtering through that security group as described in this procedure.
If a user or computer is not contained in a site, domain, or organizational unit that is subject to a Group Policy object, either directly through a link or indirectly through inheritance, there is no combination of permissions on any security group that can cause those Group Policy settings to affect that user or computer.
Filtering at the Group Policy object level, as described in this procedure, causes the Group Policy object to be processed or not processed as a whole. The Group Policy Software Installation and Folder Redirection extensions use security groups to refine control beyond the Group Policy object level. Except for Folder Redirection and Group Policy Software Installation, security groups are not used to filter individual settings, or subsets, of a Group Policy object. For control over individual settings, edit or create a Group Policy object instead.
Information about functional differences
Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.