JSI Tip 4231. How do I filter the scope of a Group Policy object?

In tip 2492, I described how to filter local Group Policy.

Using the Security tab of the Properties of a Group Policy object, an administrator can filter the users and computers by using Windows 2000 security groups to set the DACL to allow or deny access to the GPO.

NOTE: With the exception of Folder Redirection and Software Installation, filtering affects the entire GPO.

To set the filter, right-click the root node of the Group Policy snap-in, press Properties, and press Security.

NOTE: You can also open the Properties of a site, domain, or organizational unit and select the Group Policy tab. Right-click the a Group Policy object and select it's Properties.

NOTE: Users and groups must have Read and Apply Group Policy permissions to receive the Group Policy settings. Authenticated Users have Read and Apply Group Policy by default. I would remove these permissions from groups whose members DO NOT need to receive the GPO, to speed up Group Policy processing, and to keep members from viewing the policy.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.