by Michael Day
The design created by Microsoft
for Group Policies in Windows 2000 is to apply them to
Organization Units (OUs) instead of applying them to actual
user groups. This works great if you can sort your
domain into OUs that don’t change often and people don’t need
to be a part of more than one. But if you have people
that belong to different departments (IE sales and marketing)
and each department needs it own policies this can lead to
some rather unpleasant complications. Another
issue is applying the policy to only part of the people in the
The design created by Microsoft for Group Policies in Windows 2000 is to apply them to Organization Units (OUs) instead of applying them to actual user groups. This works great if you can sort your domain into OUs that don’t change often and people don’t need to be a part of more than one.
Process to apply the Group Policy
to a single group
Now that you know you want to
apply a group policy to a User, single Group, or
multiple Groups within an OU or within a domain you need to
NOTE: If all the groups that are being
affected are part of a single OU then create the policy for
the OU otherwise create it for the whole domain.
- Create the policy you want to apply.
This is the most time consuming and difficult part of the
- Go to the properties for the policy (right
click on the policy name and select properties) and select
the Security tab.
- Remove the Apply Group Policy right for
- Next click Add and select the user, group
or groups you want to Apply this policy
- Give them Read and Apply Group Policy
Next Time a member of the group you selected
(Or the user you selected) logs on this new policy will be
applied to them. It will also be applied if they are
logged on when the policy refresh interval occurs
Real World Example
In the Windows 2000 Domain I
administer I needed to use this method to apply a specific
policy for all our Windows 2000 Terminal Services Users.
I needed to lock them down from accessing anything on the
server except the small handful of programs they needed to do
there jobs. Since the users of the Terminal Clients
changed frequently I decided that it would be almost
impossible to put the affected users into there own OU.
I created a specific Domain Wide policy that locked down the
system completely (not even allowed access to the C drive) and
changed the security to apply the policy to the Win2k built-in
TERMINAL SERVER USER group which contains any user that is
logged onto a Terminal Server. I also set the policy to
deny the Apply this policy right to the Domain Admins group so
I could log onto the server from any thin client to do
I hope this information helps you
in applying Windows 2000 Group Policies and helps with your
migrations to a Windows 2000 network.