Group Policy or GPO can be applied to the computer. The most common way to do that is by linking the computer GPO to the computer OU. By default, policy will be enforced to all computers which resides under that OU. If there’s a specific policy only for a few particular computers, then these computers must be grouped together in Active Directory computer group. This article will cover the details for how to apply GPO to computer group in Active Directory. This way is more efficient than creating new OU for those particular computers every time there is such need.
How to Apply GPO to Computer Group in Active Directory
In this example, the computers are all joined to a domain named asaputra.com and the domain controller is installed on Windows Server 2012 R2. All client computers running Windows 10 and are located on Prod OU.
A group policy object named “Secured Computer Policy” has been created and linked to Prod OU. By default, the GPO is applied to all the computers in this OU.
This step-by-step below will explain how to filter “Secured Computer Policy” GPO to be applied only on WKS002 and WKS003.
1. Create a group
The group must be created on the OU where the policy is linked. Open the OU on Active Directory Users and Computers console, right click on an empty area then select New > Group
Specify the group name, then select the group scope Global and group type is Security.
Click OK to save the options, and verify the group has been created.
2. Add targeted computers as the group member
Double click the group name to open its properties. Select the Members tab and click on Add button.
A window will be popped-up. Click the Object Types button, and make sure Computers is ticked.
Now type in the targeted computer names, separated with a semicolon, then clicked on Check Names button. If it typed correctly, the names will be underlined as shown in the picture below.
Make sure that all targeted computers has now been added to the group member then click OK to confirm. After adding computers to the group, restart the computer for group membership to take effect.
3. Modify the GPO Security Filtering
Switch to the Group Policy Management Console. Select the policy object that wants to be modified and select the Scope tab.
On the Security Filtering section, select Authenticated Users group and click on Remove button.
Then, still on the Security Filtering, click on Add button.
Type in the group name that was created on the previous step. Make sure it is typed correctly by clicking on Check Names button, then click OK to confirm.
Verify the group has been added to the list.
Lastly, to ensure the policy works, Authenticated Users still need to have at least read access to the policy. In the same policy object, go to Delegations tab and click on Add button.
Add the Authenticated Users group with Read permission as shown in the picture below.
We can check that the policy has been applied correctly. On the client computer, open an elevated command prompt and use command gpresult /r /SCOPE COMPUTER. On computers that are member of the SECURED_COMPUTER group, which are WKS002 and WKS003, the result will show that the policy is applied normally.
But on computer that is outside the group, the result will show that the policy is filtered out.
Please bear in mind that applying GPO to computer group may be a little bit tricky. If you see GPO is being filtered out on a computer that is a member of the targeted group, then there is a chance that the computer not yet realized that it has been the member of group. In this case, a reboot is needed for the computer to refresh its group membership. To check the computer group membership, use the same command as above and scroll down to the bottom section where you will see this information.
And that’s how to apply GPO to computer group in Active Directory.