OK. First some Group Policy basics…….
Group policies can be linked to either the Site, Domain or Organisational Unit (OU) and are processed by the client in that same order, so….settings in GPs linked to the site can be overwritten by GPs linked to the Domain, which can then be overwritten by GPs linked to an OU.
Also, GPs contain two sections:
Computer Configuration – These settings are applied when the computer boots before it gets to the login screen. Thus, they apply to the computer before, and regardless, of who’s looged on.
User Configuration – These settings are applied to the user when they log on. They will overwrite any conflicting Computer Configuration settings as they are applied after the Computer Configuration settings. (This can be changed with loop-back processing, but I won’t go in to that unless you need me to)
Back to the question……
Essentially, unless you want the GP to apply to the whole domain (or whole site) you would link it to the top-most level OU that contains the users or computers that you would want it applied to. (As above, if you switch something on in a GP and link it to a parent OU, then switch it off in another GP and link that to a child OU – the GP in the child OU will take presedence and the setting will be switched off.)
Group policies are created using the Group Policy editor. If you’re using Server 2000, you can get to it by the properties tab of the OU. If your using Server 2003 (or atleast an XP client) you can get to the GP Editor by using the Group Policy Management Console (GPMC) – which is by far the best method. If you’re using the GPMC, just right-click the OU that you want to link the GP to and select to link it from there.
Going back to the basics above… If you create Computer Configuration settings, those settings will only apply to computers, so make sure the OU (or child OUs) contain the correct computer objects – likewise for User Configuration settings and User objects – otherwise the settings will have nothing to apply to and it won’t work.
Also, Group Policy is refreshed on the client every 90 minutes +/-30 minutes, so the changes to the GP won’t take effect unless:
a: You logoff and back on again for User settings
b: Restart the computer for Computer settings
c: run the command “gpupdate” (for XP/2003) or “secedit” (for 2000) – full use of these commands can be found on the internet.
Using wither of these methods should show GP settings being applied.
Hope this helps. Let me know if I’ve confused you or missed something and I’ll try and clear it up.