Struggling with multiple groups

server 2003 sp2

i have been struggling *days* gpo testing.

wanted scenario: apply gpo specific group group1 (not "authenticated users"), deny gpo group2 , domain , enterprise admins.

my understanding accomplish by: setting deny "apply group policy" domain , enterprise admin groups , group2, , setting read , apply group policy group1.

unfortunately, above not working , group2 continues have policy applied, , i've rebuilt vms 3 times, in case.

the deny not overriding should, or expect would.

these "just built" vms, find hard believe kind of nesting issue, then, deny supposed override all.  i've played settings authenticated users also.

is there known issue unpatched sp2 server?  seems work admin groups, not others...  must able apply/deny gpos non-built-in groups?

hi marco,

go read:deny 

apply gpo:deny and check

also can achieve security filtering or can go item label targeting.

best practice: how apply group policy object individual users or computer

http://www.grouppolicy.biz/2010/05/how-to-apply-a-group-policy-object-to-individual-users-or-computer/   

Windows Server  >  Group Policy