The Organizational Unit (OU) structure of an Active Directory domain is critically important; it is a delicate balance between full-service central management, flexibility, and a simple, intuitive layout. And yet, there are some settings that may need to be applied globally to users or computer accounts that exist in a number of different OUs.

With a little work upfront, administrators can create Group Policy Objects (GPOs) for an OU or the entire domain but only apply it to users or computers that are members of a security group. This can be especially valuable for computer and user accounts that have configuration requirements that do not align to the OU structure. The process is the same for a computer or user account, but this is a good first step to separate filtering for each type.

In my personal lab, I have two GPOs at the top of the domain that would execute for all objects in the domain but separated by computer and user accounts. Figure A shows these two GPOs at the root of the domain.
Figure A

There are a number of best practices you could apply that would not involve top level GPOs, but for the scope of the filtering example, the top of domain will be used. The simplest best practice would be to place all users in one top level OU and all computer accounts in another top level OU; then the GPOs for each type would reside in the respective OU.

The example also shows a self-documenting object name. In the example above, the GPOs are named Filter-GPO-ComputerAccounts and Filter-GPO-UserAccounts; this denotes that they are filtered GPOs, and the groups that have the filters applied are the GPO-ComputerAccounts and GPO-UserAccounts groups — again, self-documenting. See the corresponding security groups in Figure B.
Figure B

Click the image to enlarge.

The GPO-ComputerAccounts group is a security group with two computer accounts in it. Like user accounts, computer accounts can be members of a security group.

With the OU and the security group defined, you can configure the filters to apply a GPO only to members of the group. The first step is to remove the default Authenticated Users (read) security item for the GPO. The item to be removed is shown in Figure C.
Figure C

Click the image to enlarge.

Once the default read and apply permission from Authenticated Users is removed, the security group is added to the security tab of the GPO, and the read and apply permissions are applied. Figure D shows this being configured for the GPO-ComputerAccounts group for the Filter-GPO-ComputerAccounts GPO.
Figure D

Click the image to enlarge.

Note the Advanced button highlighted at the bottom; if the security is configured after the GPO is created, the Advanced button contains the area to add the apply group policy permission entity. At that point, the GPO is ready to be issued to the security groups.

How do you use GPO filtering? I can think of a number of ways it can be beneficial, although it also risky if over-utilized. Share your strategies in the forums.