The design created by Microsoft for Group Policies in Windows 2000 is to apply them to Organization Units (OUs) instead of applying them to actual user groups. This works great if you can sort your domain into OUs that don't change often and people don't need to be a part of more than one. But if you have people that belong to different departments (IE sales and marketing) and each department needs it own policies this can lead to some rather unpleasant complications. Another issue is applying the policy to only part of the people in the OU.
Process to apply the Group Policy to a single group
Now that you know you want to apply a group policy to a User, single Group, or multiple Groups within an OU or within a domain you need to know how.
NOTE: If all the groups that are being affected are part of a single OU then create the policy for the OU otherwise create it for the whole domain.
- Create the policy you want to apply. This is the most time consuming and difficult part of the whole process.
- Go to the properties for the policy (right click on the policy name and select properties) and select the Security tab.
- Remove the Apply Group Policy right for Authenticated Users.
- Next click Add and select the user, group or groups you want to Apply this policy to.
- Give them Read and Apply Group Policy permissions.
Next Time a member of the group you selected (Or the user you selected) logs on this new policy will be applied to them. It will also be applied if they are logged on when the policy refresh interval occurs
Real World Example
In the Windows 2000 Domain I administer I needed to use this method to apply a specific policy for all our Windows 2000 Terminal Services Users. I needed to lock them down from accessing anything on the server except the small handful of programs they needed to do there jobs. Since the users of the Terminal Clients changed frequently I decided that it would be almost impossible to put the affected users into there own OU. I created a specific Domain Wide policy that locked down the system completely (not even allowed access to the C drive) and changed the security to apply the policy to the Win2k built-in TERMINAL SERVER USER group which contains any user that is logged onto a Terminal Server. I also set the policy to deny the Apply this policy right to the Domain Admins group so I could log onto the server from any thin client to do maintenance.
I hope this information helps you in applying Windows 2000 Group Policies and helps with your migrations to a Windows 2000 network.