KJ,
I think that you are missing the point that David is trying to make. I am
referring to the security groups acting as a filter aspect to GPOs.
You can not apply Group Policies to a security group. This must be clear.
You apply GPOs to either the local computer, Sites, Domains or
Organizational Units. That just happens to also be the pecking order. So,
a GPO linked to an OU would 'win' should there be a setting that conflicts
with the same setting in a GPO linked to the Domain.
What David is trying to suggest is that you can, however, user a security
group to filter which users in an OU are affected by that GPO. Let take an
example to make this clear.
Let's say that you have an organization that decides to create OUs based on
Departments. So, we have an OU called DEPARTMENTS and sub-OUs. We have an
Accounting sub-OU, a Finance sub-OU, an IT sub-OU and a Sales sub-OU. Let's
say that each sub-OU contains some 150 user accounts ( except the IT sub-OU,
which has some six or seven user accounts ).
Let's say that for each sub-OU we create various GPOs that are vary specific
to each 'Departments' needs. Furthermore, let's say that there are
something like 12 GPOs that are applied. I am making this more detailed
than it probably needs to be but there is a point to all this! I promise.
As you can see, it might be a bit problematic to have to re-arrange things
as they are firmly entrenched in this set up.
Now, let's say that there is some software application that we need to
install to some 120 users ( 40 users from each of the three non-IT
sub-OUs ). We need to install it to the user configuration side of things
as it would need to follow them should any of them need to log on to a
computer other than his/her 'normal' computer.
How do we do this? If we create a GPO and link it to the Accounting sub-OU,
to the Finance sub-OU and to the Sales sub-OU then it applies to every user
account in that particular OU to which it is linked. This is because, by
default, the Authenticated Users group is given both read and apply policy
rights! We do not want this. We want it applied to only some 40 very
specific user accounts in each sub-OU. Herein lies the root of the problem!
See, I told you a bit ago that the point was coming! Here it is!!!!!
Here is how to resolve this dilemma: we can create a security group, add
the desired 120 user accounts to that security group and at the GPO simply
replace the Authenticated Users with the security group that we just created
and give it read and apply policy rights! Situation resolved!
I hope that this helps you to better understand what David is suggesting.
Cary