I'm using VBScript in my logon script to map network drives.. I know that a group policy should applied to individual user accounts and computer accounts by linking (GPOs) to Active Directory containers (OUs). The thing that I do not know is how to apply group policy to an OU that has nothing but groups in it?
The proper way to add a GPO to a security group is:
Configure the group by adding the intended members on it (computer or user accounts)
Create your GPO and link it high enough so that it will apply on all intended objects
Remove "Authenticated users" from the Scope panel in GPMC and add the group that should apply it. You don't have to use the advanced security section to do this, and it is less dangerous like this (no chance to lock yourself out).
If you link the GPO on the top of the domain, ensure you set the filtering before you edit the GPO so it does not get applied everywhere.
If it's a computer policy, computers need to be rebooted once they are added to the group, else when the GPO refreshes the computer isn't authenticated in the new group yet and the GPO won't get applied.
You cannot apply GPOs to groups - like you said, you apply them to computer and user objects.
Both your computer and user objects are going to be somewhere in your Active Directory structure, so you should just apply the GPOs directly to the OUs where the objects live.
If all your user and computer objects are just in their default containers, it might be a good opportunity to add a bit of structure to your Active Directory with additional OUs.
If you want to do some sort of restriction on GPOs depending on what security groups a user/computer is a member of, you can edit the security properties of each GPO and add an appropriate group (i.e Can change screensaver) and set the Read permission to Deny.