Well, I'm heavy into Active Directory Group Policy using a good book by Jeremy Moskowitz as my guide. I'm Learning how to do the "Big Brother" stuff to all the users and computers in an Active Directory domain. The concepts are pretty straightforward, but the devil is in those details.......
Just some notes here to myself.....
You can put an OU inside another OU, but you can't put a group inside another group. This reminds me of the old saying "You can take the girl out of Arkansas, but you can't take the Arkansas out of the girl..."
You can add a computer to a group, but you have to remember to click the "object types" button when you are in the "select things to add" dialog box and then check "computers" so that computers will appear as possible things for you to add to the group.
You can limit the scope of a GPO in two ways:
Way 1 - The first way (and best way it seems to me) is to simply create two groups and apply the GPO only to the group you want to have it. Put everyone you want to get the GPO in the group that you applied the GPO to. Perhaps there are times when this is not practical; this leads us to the second way to limit the GPO scope...
Way 2 - First create the GPO and apply it to "Authenticated Users" which is the default and covers everybody. Then, on the "scope" tab of the GPO, add another group. This second group will be for the people that you DON'T want the GPO applied to. Once you've added that second group, go to the delegations tab of the GPO and then click the "advanced" button. Then scroll down to the group you just added and check the "deny" box under "apply group policy". This works, but it's tricky because when you go back to the scope tab of the GPO, the 2nd group no longer appears because the GPO doesn't apply to it anymore. BUT, it's still affected by the GPO since the GPO is now denied to it. You can still see the group by going to the delegation tab of the GPO and looking at the list of groups. The group will have "custom" under "allowed permissions". Sheeeesh....
