A newly created GPO does not apply its settings to anybody or anything until you link that GPO to a particular location, such as an OU. Once linked, that GPO then typically starts applying to everything listed underneath that OU. In the case of a domain-level link, this is even more widespread as GPOs linked at the root of the domain will, by default, attempt to apply themselves to everything within the domain (other than OUs where inherency blocking is enabled, as we already discussed). All of this sounds good if your intentions are for these GPO settings to roll around to that many people and workstations, but there are instances when you create GPOs that only need to apply to particular groups of computers or users, and those groups do not always line up exactly with the way that you have structured and organized OUs within Active Directory. Indeed, if OUs were the perfect organization platform, then we wouldn't even have a need for Active Directory Security Groups (AD Security Groups), would we? But alas, AD Security Groups do exist and are used by every company in the world, so clearly we sometimes have the need to lump machines or users together in these special groups in addition to their existing organization and placement within OUs.
Where am I going with all this? Wouldn't it be great if we could link a GPO to a high-level tier (such as at the domain level), but then require additional filtering on that GPO so that it only applies to something more specific, such as a particular AD Security Group? That is exactly the option we are here to discuss. Even though you cannot create a link directly to a security group, you will find yourself quite often utilizing security groups in order to filter your GPO settings.
A security group usually contains a set of users that you want to keep together for one purpose or another, or it contains a group of computers that you want to lump together to meet a specific need. It is very rare that you would ever create a group that contained a mix of both user and computer accounts. This lines up well with our mentality of trying to keep GPO settings organized for one purpose or the other. A GPO created with only computer configuration settings is well prepared to be applied to a group of computer objects. And on the other hand, a GPO containing just user configuration settings could be applied to a group of users that you put together. Just one more example of how it makes sense in the big picture and through all facets of administering Group Policy to keep the two sides of the house split, and retain some separation between user and computer settings.