You can do all that, that's what it's for. However the container object that gp is applied to is an organisation unit (OU) so you have to make an OU for your members and add them to it then apply the GP to the OU. GP is applied in a hierarchy of Local, Site, Domain, OU so you can also arrange your GPs so different GPs only are used in one OU while others are domain or site wide.
OUs at user levels are usually split up into things like IT, Accounts, Managers - along the same line as groups would be anyway, by department. If you deny anyone READ on the policy it will not be applied to them.
Bookmarks