Group Policy Deployment Planning
Applies To: Windows Server 2008
Before you deploy Group Policy, you must plan the membership and exception groups.
Planning the membership and exception groups
There is one membership group for each set of GPOs that contain configuration data for your client computers and users. Adding a user or computer account to the group enables that user or computer to read and apply all of the GPOs associated with the group.
To limit the user or computer to only one GPO of the several that might be associated with the membership group, create and assign WMI filters to each GPO. A WMI filter is evaluated to determine if a GPO should be applied to the user or computer. For example, the WMI filters described in this guide contain information about the version of the Windows operating system. For more information about creating WMI filters, see WMI Filtering Using GPMC (http://go.microsoft.com/fwlink/?linkid=93188).
If there are some computers in the membership group that should not apply the GPO, then you can create an exception group that is denied permission to apply the GPO. Because deny permissions override allow permissions, a user or computer that is a member of both groups will not apply the GPO.
For example, exception groups are used when a membership group includes computers that are running Windows 2000. That version of Windows cannot process WMI filters and applies any GPO to which it has permissions, even when the assigned WMI filter explicitly prohibits it. For this reason, you should create an exception group that contains the computer accounts of all computers running Windows 2000 and deny this group Read and Apply Group Policy permissions to the GPOs for other versions of Windows.
Planning domain access
To log on to the domain, the computer must be a domain member computer and the user account must be created in AD DS before the logon attempt.
For more information, see the "Joining Computers to the Domain and Logging On" topic in the Windows Server 2008 Foundation Network Guide in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=106051).