Linking a Group Policy Object to an Organizational Unit

You can link a Group Policy Object to an organizational unit, domain, or site using the Group Policy Management Console. To set group policies for a selected Active Directory site, domain, or organizational unit, you must have read and write permission to access the system volume of the domain controller and the right to modify the selected directory object.

If you have created an organizational structure for Centrify as described in the Planning and Deployment Guide, the most natural place to link a Group Policy Object is the top-level container of that organizational unit structure, for example, the Centrify container.

Create and Link a Group Policy Object for Centrify Settings

  1. Click Start > Administrative Tools > Group Policy Management.
  2. Select the Centrify organizational unit, right-click, then select Create a GPO in this domain, and Link it here.
  3. Type a name for the new Group Policy Object, for example, Centrify Policy, then click OK.

If you want to apply group policies to lower levels in the organizational structure, you can do so by linking Group Policy Objects to lower level organizational units. For example, if you created a separate organizational unit for zone computers, you can link a Group Policy Object to that organizational unit. However, you cannot link Group Policy Objects to containers (CN).

Using Security Filtering for Group Policies

You can use Active Directory security groups and group policy security filtering if you want to restrict the policies applied to subsets of zone computers or users. By creating an Active Directory security group and setting security filtering for a Group Policy Object, you can achieve fine-grain control over where group policies are applied within the Centrify organizational unit structure. For example, you can create an Active Directory group called europe that has a specific set of computers in it, then restrict the application of group policies to that group.

To enable security filtering of group policies:

  1. Create the Active Directory security group with the appropriate members.

  2. Open the Group Policy Management Console and select the Group Policy Object for which you want to enable filtering.

  3. On the Scope tab, under Security Filtering, click Add.

  4. Be certain that ‘Group’ appears in Select this object type; if not, Click Object Types and select Groups.

  5. Type all or part of the name for the group you created for filtering, click Check Names.

    If more than one group is returned, select the appropriate group, then click OK.

  6. Click OK to link the security group to scope of the Group Policy Object.