You want to configure a GPO so that it applies only to members of a particular security group.
220.127.116.11 Using a graphical user interface
18.104.22.168 Using a command-line interface
> setgpopermissions.wsf "<GPOName>" "<GroupName>" /permission:Apply > setgpopermissions.wsf "<GPOName>" "Authenticated Users" /permission:None
22.214.171.124 Using VBScript
' This code adds a security group filter permission to a GPO ' and removes the Authenticated Users filter permission. ' ------ SCRIPT CONFIGURATION ------ strGPO = "<GPOName>" ' e.g. Sales GPO strDomain = "<DomainDNSName>" ' e.g. rallencorp.com strGroupAdd = "<GroupName>" ' e.g. SalesUsers strGroupRemove = "Authenticated Users" ' ------ END CONFIGURATION --------- set objGPM = CreateObject("GPMgmt.GPM") set objGPMConstants = objGPM.GetConstants( ) ' Initialize the Domain object set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC) ' Find the specified GPO set objGPMSearchCriteria = objGPM.CreateSearchCriteria objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _ objGPMConstants.SearchOpEquals, cstr(strGPO) set objGPOList = objGPMDomain.SearchGPOs(objGPMSearchCriteria) if objGPOList.Count = 0 then WScript.Echo "Did not find GPO: " & strGPO WScript.Echo "Exiting." WScript.Quit elseif objGPOList.Count > 1 then WScript.Echo "Found more than one matching GPO. Count: " & _ objGPOList.Count WScript.Echo "Exiting." WScript.Quit else WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName end if ' Get permission objects to Apply GPO set objGPMPerm1 = objGPM.CreatePermission(strGroupAdd, _ objGPMConstants.PermGPOApply, False) set objGPMPerm2 = objGPM.CreatePermission(strGroupRemove, _ objGPMConstants.PermGPOApply, False) ' Get the existing set of permissions on the GPO set objSecurityInfo = objGPOList.Item(1).GetSecurityInfo( ) ' Add the new permission objSecurityInfo.Add objGPMPerm1 ' Remove Authenticate users objSecurityInfo.Remove objGPMPerm2 on error resume next ' Apply the permission to the GPO objGPOList.Item(1).SetSecurityInfo objSecurityInfo if Err.Number <> 0 then WScript.Echo "There was an error setting the security filter." WScript.Echo "Error: " & Err.Description else WScript.Echo "Added Apply permission for group " & strGroupAdd WScript.Echo "Removed Apply permission for group " & strGroupRemove end if
Creating a security filter for a GPO consists of granting a specific group the Apply Group Policy permission on the ACL of the GPO. By default, Authenticated Users are granted the Apply Group Policy right on all new GPOs, so you will also need to remove this right if you want to restrict the GPO to only be applied to members of another group.
Avoid using "Deny" as part of the security filter because it can lead to confusion with accounts that have membership of groups with conflicting filter settings. For example, if a user is a member of a group that has "Deny" set in the filter and is also a member of a group that is allowed to apply the policy, the Deny setting will always win. This can be difficult to troubleshoot.
126.96.36.199 Using VBScript
First, I have to find the target GPO. I use a GPMSearchCriteria object to find the GPO that is equal to the display name of the GPO specified in the configuration section. I use an if elseif else conditional statement to ensure that only one GPO is returned. If none or more than one were returned, I abort the script. If only one GPO is returned, I create two GPM.CreatePermission objects for the group I want to add as a security filter and for the Authenticated Users group. Next, I use the GPMGPO.GetSecurityInfo to retrieve the current ACL on the GPO. Finally, I add the permission to the ACL for group I want as the new security filter, and I remove the permission for Authenticated Users.
9.14.4 See Also
MSDN: GPM.CreatePermission and MSDN: GPMGPO.GetSecurityInfo