Diff between applying group policy to Security group and OU.

[rk_kalady]

Hi,

I have read many articles mentioning that OU is the lowest member in the AD hierarchy where we can apply group policy.

But I am able to
1. create a group policy object
2. add a security group in its in its security setting as Apply group policy

Please let me know the difference between these two ways of settings. Can we apply group policy to groups also?

Regards
Ramakrishnan M

[AdamV]

Not as such.

A group policy has to be linked to an OU, or a site, or a domain.

This makes it apply to all the users or computers in that scope and everywhere thereunder (so a user in an OU inside another OU with a linked policy also gets this).

This determines which users/computers 'could' get the policy. You can then alter security to include or exclude groups to prevent some of these possible objects from getting the policy.

But you can't (as is often misunderstood, it seems) use a group to push a policy to an object which was not already in the "possibles" based on it's location in the directory.

The only way to think of this security is that it is a filter to decide which objects really get he policies, not a mechanism to allocate them.