Best way to apply GPO to certain groups

mvalpreda · 2019-06-04T14:00:11.000Z

I used to just have users or computers in a group and would use GPO Security Filtering to only apply that GPO to users/computers in that group.

Since the security change, now I add ‘Domain Computers’ and the group I want - which seems to be fine. I don’t feel like this is the best way. Is there a better way to do this?

Typically doing this on Server 2012 R2 and above.

capef3ar · 2019-06-04T14:13:17.000Z

I believe that this still needs to be done if any other group other than authenticated users is listed under Security Filtering.

justin1250 · 2019-06-04T14:57:23.000Z

You just have to list authenticated users with a read delegation on the security tab.

This is because of a security change. User GPOs are now read by the computer object.

There is nothing wrong with this. Other ways of filtering GPOs would be by OU management and organization. ILT on GPP GPOs. WMI filters, to name a few.

mvalpreda · 2019-06-04T16:06:44.000Z

So how I am doing it is fine after removing ‘Authenticated Users’?

justin1250 · 2019-06-04T16:49:50.000Z

mvalpreda:

So how I am doing it is fine after removing ‘Authenticated Users’?

Sure, that will work. All the domain computers group really needs though is a read delegation on the last tab. If you add it to the security filtering box it also gets an apply delegation but that would not matter if there are no computer settings that you want to filter.

Internet_Schneider · 2019-06-04T17:32:10.000Z

Definitely, Security Filtering is the way to go. Take a look at this link, it’ll tell you how can you do that:

How to apply a Group Policy Object to individual users or computer

mvalpreda · 2019-06-06T16:45:41.000Z

Thanks @EminentX. I think I saw that article but got lost/confused somewhere. Looking at it now makes sense.