Group Policy Security Filtering
One of the common requirements of GPO is making sure it only applies to certain servers or objects, you may have a terminal server that you dont want certain GPO's being assigned to, yet this server sits in the same OU as multiple other servers that do need to GPO in question to be applied
What are your options? Basically there are two
1) Create an additional OU for the objects in questions that you do not want the policy to apply too, move the object to it (If its a sub OU then you will need to block policy inheritence from above) and you are done
In a more complex environment, segmenting OU's like this may not be an acceptable solution, so we have a second option that allows you to keep your AD structure as is, yet allows more control on which objects get what policy. This is known as Security Filtering
2) Group Policy Security Filtering
This is pretty much a self explanatory procedure. Basically, you control the security on the Policy, the same as you would on a NTFS share. You can allow or deny permissions on users and groups, to actually apply the persmission.
Best practices on this are similar to NTFS permissions, the primary being, dont use the deny permission. A basic simple set of steps is as follows
I would also reccomend using Group Policy Management Console for this task
1) Create a Group
2) Add your objects to the group (Users, Computers, Servers)
3) Create your GPO
4) Under the delegation TAB of the GPO, Advanced, Remove the groups you do not wish the policy to apply to and add your newly created group that you do want the policy to apply to)
5) Assign the allow read and apply group policy settings
6) Link the GPO to the OU that holds the objects.
You have now ensured that users within your group, can apply the policy, you have also ensured that no other objects will
Simple Yes
For the "how to" and some more in depth reading, this is the best link I have found
http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html
James