Targeting a GPO to a Specific Security Group
If you've spent any time in Active Directory, you know the magic (and sometimes headache) of Group Policy Objects (GPOs). When it comes to deploying software, you rarely want to hit every single user or computer in an Organizational Unit (OU). You need surgical precision.
The key to this precision isn't the OU, but a neat trick using Security Filtering and Delegation. In this step-by-step guide I will show you how to target a GPO-based software installation to a handful of users or computers.
Prerequisites
Before you start, make sure you have:
- Domain Admin or equivalent permissions
- Access to Group Policy Management Console (GPMC)
- A security group created with the appropriate member type (users or computers)
- Software installer package accessible via UNC path
This process takes about 5-10 minutes once you have your security group ready.
Step 1: Prep Your Target Group
Before touching the GPO, make sure you have the right Security Group in place and populated.
1.1 Identify Your Deployment Target
First, decide what you're targeting:
- Computer-based deployment: Software installs when the machine boots, regardless of who logs in
- User-based deployment: Software installs for specific users, regardless of which computer they use
Computer Configuration deployment requires a security group containing Computer Accounts.
User Configuration deployment requires a security group containing User Accounts.
Mixing these up is the #1 reason GPOs mysteriously don't apply!
1.2 Create or Verify Your Security Group
- Open Active Directory Users and Computers (ADUC)
- Navigate to your preferred OU for security groups
- Create a new security group (or use an existing one):
- Name: Something descriptive like
SG-IT-ChromeDeployment - Group scope: Global or Universal
- Group type: Security
- Name: Something descriptive like
- Add the appropriate computer or user accounts as members
Step 2: Create and Configure the Software GPO
I always create a brand new GPO for each software deployment. It keeps things clean and makes troubleshooting easy.
2.1 Create the GPO
-
Open the Group Policy Management Console (GPMC)
- Press
Win + R, typegpmc.msc, and hit Enter
- Press
-
Navigate to the appropriate OU (or domain) where you want to link the policy
-
Right-click the OU and select Create a GPO in this domain, and Link it here...
-
Give it an identifiable name:
Software - GoogleChrome_Targeted
I use the format: Software - [AppName]_Targeted for filtered deployments and Software - [AppName]_Global for OU-wide deployments.
2.2 Configure Software Installation
-
Right-click your new GPO and select Edit
-
Navigate to the appropriate section depending on your deployment type:
For Computer-based deployment:
Computer Configuration → Policies → Software Settings → Software InstallationFor User-based deployment:
User Configuration → Policies → Software Settings → Software Installation -
Right-click on Software Installation → New → Package
-
Browse to the UNC path of your installer:
\\server\share\software\chrome.msi -
Select Assigned and click OK
Always use UNC paths (\\server\share\file.msi), not mapped drives. Computers don't have your drive mappings!
Step 3: The Critical Move — Security Filtering
This is where the magic happens. By default, a GPO applies to all Authenticated Users within the linked OU. We need to strip that out and replace it with our specific group.
3.1 Remove Default Filtering
-
Back in the GPMC, select your newly created GPO (don't edit it, just select it)
-
Click the Scope tab in the right pane
-
Look at the Security Filtering section — you'll see Authenticated Users listed
-
Select Authenticated Users and click Remove
-
Click OK to confirm the removal
3.2 Add Your Target Group
-
Click the Add button in the Security Filtering section
-
Type the name of your security group (e.g.,
SG-IT-ChromeDeployment) -
Click Check Names to validate, then click OK
Your security group is now the only one targeted by this GPO!
By adding your security group to Security Filtering, you're granting it both Read and Apply Group Policy permissions. Only members of this group will have the policy applied.
Step 4: The Safety Net — Delegation for Read Access
Removing Authenticated Users can sometimes prevent all computers from reading the GPO, causing it to fail completely.
Even if a computer isn't in your target group, it still needs to Read the GPO to know whether it should apply it or not.
4.1 Grant Read Permissions
-
Still on your GPO in the GPMC, click the Delegation tab
-
Click the Advanced button (bottom right)
-
In the security dialog, click Add
-
Search for and select Domain Computers
-
Click OK to add it to the permissions list
-
Select Domain Computers in the list
-
In the Permissions section below, ensure only the following is checked:
- ✅ Read (Allow)
- ❌ Apply Group Policy should NOT be checked
-
Click OK to save and close the dialog
4.2 Verify Permissions
Here's what your final permission structure should look like:
| Security Principal | Read | Apply Group Policy |
|---|---|---|
| Domain Computers | ✅ Allow | ❌ (not set) |
| Your Security Group | ✅ Allow | ✅ Allow |
| Authenticated Users | ❌ (removed) | ❌ (removed) |
- Domain Computers can Read the GPO (so all computers know it exists)
- Your Security Group can Read and Apply the GPO (so only these members get the software)
- The policy is linked to a broad OU but surgically filtered to your specific group
Step 5: Test and Verify
Now it's time to make sure it works!
5.1 Force a Group Policy Update
On a test machine that's a member of your target security group, run:
gpupdate /force
For Computer Configuration deployments, you'll likely need to reboot the machine for the software installation to trigger.
5.2 Verify Application
Check if the policy is being applied:
gpresult /r
Look for your GPO in the Applied Group Policy Objects section.
For more detailed troubleshooting, generate an HTML report:
gpresult /h C:\gpreport.html
5.3 Confirm Installation
After the reboot (for computer deployments) or next login (for user deployments), check:
- Programs and Features (or Apps & Features on Windows 10/11)
- Verify your software is listed and installed
If the software installed successfully on your test machine and NOT on machines outside the security group, congratulations! You've successfully targeted your GPO.
Troubleshooting
Software Didn't Install
Check these common issues:
-
Wrong account type in security group
- Computer deployments need computer accounts
- User deployments need user accounts
-
Permissions issue
- Verify Domain Computers has Read access
- Verify your security group has Read + Apply Group Policy
-
UNC path inaccessible
- Ensure the computer account (for computer deployments) or user account (for user deployments) can access the UNC path
- Grant Domain Computers read access to the share
-
GPO not linked or disabled
- Check the Scope tab to see linked locations
- Ensure the GPO link and GPO itself are both enabled
GPO Not Showing in gpresult
Run this to see denied GPOs:
gpresult /r /scope:computer
If your GPO is in the Denied GPOs section, check your security filtering and delegation settings.
Key Takeaways
✅ Security Filtering controls who the GPO applies to (grants Read + Apply Group Policy permissions)
✅ Domain Computers needs Read access to prevent GPO failures
✅ Computer deployments require computer accounts; user deployments require user accounts
✅ Always use UNC paths for software installation sources
✅ Test on a single machine before rolling out to your security group
Additional Resources
With these settings, you've got surgical precision for your GPO deployments. No more "oops, I installed that on the entire domain" moments!