Keep the following rules in mind before you apply the Group Policies:
1. Group Policies can be applied to AD-Leaf objects such as users and computers but NOT security or distribution Group.
2. Users and Computers MUST reside in the OU where you have configured Group Policy.
3. Group Policies can use GROUPS to filter the scope of policy settings.
4. By default Group Policies are applied to the following groups:
Authenticated Users
5. If the security properties are default….then Group Policy settings should apply to administrators or you because by default when you create a GPO the following Security Settings permissions are set:
*Apply Group Policy* and *Read* Permission to the following Groups:-
Authenticated Users
Domain Admins
Enterprise Admins
Administrators.
5. Group Policy processing depends on Client-Side-Extensions stored in
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPTExtensions << all GUID listed for Client-Side-Extensions.
CSCs are used to process GPOs from Domain Controller. Winlogon.exe will capture a list of GPOs.
As per M$ recommendation you should remove *Authenticated Users* group and create a new Group > add all members to this group and use FILETERING technique. Now generally what happens all user objects are member of
Authenticated Users Group and the settings are mixed because from Domain Level to………child OU the settings are applied to Authenticated Users Group………so for example :-
If you have configured anything in the parent OU and also configured in Child OU…and all users are member of Authenticated Users Group….settings are meesed up and then Group Policy rule is applied:
Policy Settings at Parent OU Policy Settings at Child OU Result
If NOT Configured If Configured Child’s setting applied
If Configured If Configured and Do not conflict Both Settings
If Configured If Configured and Conflicts Child’s setting applied
If Configured If Not Configured Parent’s Setting applied
If NOT Configured If Not Configured No Settings (This is default)