1
00:00:00,420 --> 00:00:07,020
Although you can use the enforcement and block inheritance options to control the application object

2
00:00:07,090 --> 00:00:09,390
goes to container objects.

3
00:00:09,390 --> 00:00:16,590
You might need to apply appeals only to certain groups of users or computers rather than to all users

4
00:00:16,590 --> 00:00:20,040
of computers within the scope of the GPO.

5
00:00:20,040 --> 00:00:27,000
You cannot directly link a job go to a security group but Larry the way to apply GPO is to specific

6
00:00:27,000 --> 00:00:35,460
security groups residence in a GPO apply only to users who have allow read and allow apply group policy

7
00:00:35,460 --> 00:00:37,650
permissions to the GPO.

8
00:00:37,740 --> 00:00:45,630
Each GPO has an access control list or ACL that defines permissions to the GPO to permissions allow

9
00:00:45,630 --> 00:00:53,350
read and allow apply group policy are required for a GPO to apply to a user or computer.

10
00:00:53,370 --> 00:01:01,380
For example if a GPO is scoped to a computer or by its link to the computers or you but the computer

11
00:01:01,380 --> 00:01:08,310
doesn't have allow read and allow apply group policy permissions it will not download and apply the

12
00:01:08,310 --> 00:01:09,140
GPL.

13
00:01:09,210 --> 00:01:15,720
Therefore by setting the appropriate permissions for a security groups you can filter a GPO so that

14
00:01:15,720 --> 00:01:22,020
its settings apply only to the computers and to users that you specify by default.

15
00:01:22,020 --> 00:01:28,710
Members of the ocean to cater to user group receive the allow apply group policy permission on each

16
00:01:28,710 --> 00:01:29,940
new GPO.

17
00:01:29,940 --> 00:01:36,990
This means that by default all user research computers are affected by the GPO set for their domain

18
00:01:37,230 --> 00:01:43,800
or recite or or you regardless of the are the groups in which they might be members.

19
00:01:43,800 --> 00:01:51,240
Therefore there are two ways of filtering GPO scope remove their apply group policy permission by default

20
00:01:51,240 --> 00:01:58,230
so to allow so you can remove it for the authenticated to user groups but do not send this permission

21
00:01:58,230 --> 00:01:59,040
to deny.

22
00:01:59,160 --> 00:02:06,030
Then determine the groups to which the GPO should be applied and said that read and apply group policy

23
00:02:06,030 --> 00:02:08,670
permissions for these groups to allow.

24
00:02:08,670 --> 00:02:15,660
And the second way is to identify the groups that the GPO should not be applied to and then set the

25
00:02:15,960 --> 00:02:22,800
apply group policy permission for these groups to deny if you deny the apply group policy permission

26
00:02:22,800 --> 00:02:29,040
to a GPO the user or computer will not be able to apply sentence in the GPO.

27
00:02:29,160 --> 00:02:36,440
Even if the user a computer is a member of another group that is granted the apply Group Policy Commission.

28
00:02:36,450 --> 00:02:44,040
These groups are also known as exemption groups you can use security group filter and to manage the

29
00:02:44,040 --> 00:02:51,320
scope of a GP or your intestine instead of creating a child to you to manage the GPO scope for test

30
00:02:51,320 --> 00:02:56,850
and link the GPO to the location to which it belongs in production.

31
00:02:56,850 --> 00:03:04,110
However instead of allowing the GPO to apply to authenticate it to users or to the production security

32
00:03:04,110 --> 00:03:11,260
group configure a security group specifically designed to limit the scope of the GPO to appropriate

33
00:03:11,320 --> 00:03:12,890
Users and Computers.

34
00:03:12,960 --> 00:03:20,100
The benefit of this practice is that it gives a much more realistic picture of how the GPL will perform

35
00:03:20,100 --> 00:03:27,380
in production because you are not artificially limiting its scope or precedents by linking it to a separate

36
00:03:27,380 --> 00:03:28,670
test or you.

37
00:03:28,770 --> 00:03:36,330
In other words you get a better picture for how the GPO interacts with the other GOP those that are

38
00:03:36,420 --> 00:03:43,290
already in production and yet you still maintain full control over the specific users and computers

39
00:03:43,470 --> 00:03:45,930
that are within the test scope.

40
00:03:45,930 --> 00:03:51,520
You should set the security filter in on the GPO before you link it to the Oh you are the.

41
00:03:51,720 --> 00:03:55,270
So to filter a GPO to apply to specific groups.

42
00:03:55,350 --> 00:04:02,460
You have to select the GPO in the group policy objects container in the console 3 then on the scope

43
00:04:02,460 --> 00:04:09,870
tab in the security filter and section select the authenticated user groups and then click remove click

44
00:04:09,870 --> 00:04:15,900
okay to confirm the change then click Add and select the group to which you want to.

45
00:04:15,990 --> 00:04:19,330
You want the policy to apply and then click Okay.

46
00:04:19,440 --> 00:04:27,600
If you want to filter a GPO to exclude specific groups the scope tap of a GPO doesn't allow you to exclude

47
00:04:27,630 --> 00:04:35,010
the specific groups so to exclude the group that is to deny the apply group policy permission you must

48
00:04:35,010 --> 00:04:37,010
use the delegation to.

49
00:04:37,260 --> 00:04:45,120
So to deny a group the apply group policy or mission first select the GPO in the group policy objects

50
00:04:45,120 --> 00:04:52,380
container in the console 3 then click the delegation tab and then click advanced in the security settings

51
00:04:52,380 --> 00:04:59,130
dialog box click and then select the group that you want to exclude from the GPO click Okay.

52
00:04:59,160 --> 00:05:04,610
The group the selected receives the allow read permission by default.

53
00:05:04,730 --> 00:05:11,970
Then clear the allow reach permission checkbox select the deny apply group all the C checkbox click

54
00:05:11,970 --> 00:05:18,690
okay on this step you receive a warning that deny permissions overwrite other permissions because deny

55
00:05:18,720 --> 00:05:22,170
permissions overwrite the allowed permissions.

56
00:05:22,170 --> 00:05:25,920
It is recommended that you use them very carefully.

57
00:05:25,920 --> 00:05:29,120
The warning message reminds you of this best practice.

58
00:05:29,190 --> 00:05:36,060
The process to exclude groups from the deny apply group policy permission is far more laborious that

59
00:05:36,340 --> 00:05:42,550
than the process to include groups in the security filtering section of the scope.

60
00:05:42,840 --> 00:05:47,490
So if you decided to deny click yes to confirm that you want to continue.

61
00:05:47,490 --> 00:05:51,400
Please know that deny permissions are not available on the scope.

62
00:05:51,840 --> 00:05:58,110
Unfortunately when you exclude a group the exclusion is not shown as a security filtering section of

63
00:05:58,110 --> 00:05:59,260
the scoped up.

64
00:05:59,280 --> 00:06:03,800
This is one more reason to use deny permissions very carefully.

65
00:06:03,810 --> 00:06:11,010
Also please note that if you remove the authenticator to users group and then scope a tribute to a specific

66
00:06:11,010 --> 00:06:16,830
group users will not be able to read the policy to perform group policy and management tasks.

67
00:06:16,830 --> 00:06:24,480
Be sure to assign appropriate personnel the route permission to the GPO but do not assign them the apply

68
00:06:24,520 --> 00:06:25,610
policy permission.