How to Apply GPO to Computer Group in Active Directory

Group Policy or GPO can be applied to the computer. The most common way to do that is by linking the computer GPO to the computer OU. By default, policy will be enforced to all computers which resides under that OU. If there’s a specific policy only for a few particular computers, then these computers must be grouped together in Active Directory computer group. This article will cover the details for how to apply GPO to computer group in Active Directory. This way is more efficient than creating new OU for those particular computers every time there is such need.

How to Apply GPO to Computer Group in Active Directory

In this example, the computers are all joined to a domain named asaputra.com and the domain controller is installed on Windows Server 2012 R2. All client computers running Windows 10 and are located on Prod OU.

How to Apply GPO to Computer Group in Active Directory - 1

A group policy object named “Secured Computer Policy” has been created and linked to Prod OU. By default, the GPO is applied to all the computers in this OU.

How to Apply GPO to Computer Group in Active Directory - 2

This step-by-step below will explain how to filter “Secured Computer Policy” GPO to be applied only on WKS002 and WKS003.

1. Create a group
The group must be created on the OU where the policy is linked. Open the OU on Active Directory Users and Computers console, right click on an empty area then select New > Group

How to Apply GPO to Computer Group in Active Directory - 3

Specify the group name, then select the group scope Global and group type is Security.

How to Apply GPO to Computer Group in Active Directory - 4

Click OK to save the options, and verify the group has been created.

How to Apply GPO to Computer Group in Active Directory - 5

2. Add targeted computers as the group member
Double click the group name to open its properties. Select the Members tab and click on Add button.

How to Apply GPO to Computer Group in Active Directory - 6

A window will be popped-up. Click the Object Types button, and make sure Computers is ticked.

How to Apply GPO to Computer Group in Active Directory - 7

How to Apply GPO to Computer Group in Active Directory - 8

Now type in the targeted computer names, separated with a semicolon, then clicked on Check Names button. If it typed correctly, the names will be underlined as shown in the picture below.

How to Apply GPO to Computer Group in Active Directory - 9

Make sure that all targeted computers has now been added to the group member then click OK to confirm.

3. Modify the GPO Security Filtering
Switch to the Group Policy Management Console. Select the policy object that wants to be modified and select the Scope tab.

How to Apply GPO to Computer Group in Active Directory - 11

On the Security Filtering section, select Authenticated Users group and click on Remove button.

How to Apply GPO to Computer Group in Active Directory - 12

Then, still on the Security Filtering, click on Add button.

How to Apply GPO to Computer Group in Active Directory - 13

Type in the group name that was created on the previous step. Make sure it is typed correctly by clicking on Check Names button, then click OK to confirm.

How to Apply GPO to Computer Group in Active Directory - 14

Verify the group has been added to the list.

How to Apply GPO to Computer Group in Active Directory - 15

Lastly, to ensure the policy works, Authenticated Users still need to have at least read access to the policy. In the same policy object, go to Delegations tab and click on Add button.

How to Apply GPO to Computer Group in Active Directory - 19

Add the Authenticated Users group with Read permission as shown in the picture below.

How to Apply GPO to Computer Group in Active Directory - 20

Verification

We can check that the policy has been applied correctly. On the client computer, open an elevated command prompt and use command gpresult /r /SCOPE COMPUTER. On computers that are member of the SECURED_COMPUTER group, which are WKS002 and WKS003, the result will show that the policy is applied normally.

How to Apply GPO to Computer Group in Active Directory - 16

But on computer that is outside the group, the result will show that the policy is filtered out.

How to Apply GPO to Computer Group in Active Directory - 17

Please bear in mind that applying GPO to computer group may be a little bit tricky. If you see GPO is being filtered out on a computer that is a member of the targeted group, then there is a chance that the computer not yet realized that it has been the member of group. In this case, a reboot is needed for the computer to refresh its group membership. To check the computer group membership, use the same command as above and scroll down to the bottom section where you will see this information.

How to Apply GPO to Computer Group in Active Directory - 18

And that’s how to apply GPO to computer group in Active Directory.

The following two tabs change content below.
Arranda Saputra

Arranda Saputra

ITIL Certified, CCNA, CCDA, VCP6-DCV, MCSA Administering Windows Server 2012
I am IT practitioner in real life with specialization in network and server infrastructure. I have years of experience in design, analysis, operation, and optimization of infrastructure solutions for enterprise-scaled network. You can send me a message on LinkedIn or email to arranda.saputra@outlook.com for further inquiry regarding stuffs that I wrote or opportunity to collaborate in a project.
scroll to top