Exclude User/Computer From GPO

Posted on Posted in Don't Feed the Technician

One that I’ve not had many times but enough that i feel others can benefit from the knowledge. Making a Group Policy object apply to everyone except specific users or computers. Sounds simple and something Microsoft might have an option for, but, sadly like everything no, no they don’t.

This is a relatively straight forward task however i would recommend using this process sparingly as it will increase administrative overhead of having to constantly update the security filtering on the GPO. And them inevitable, “They have X why don’t I” user questions.

  • On your DC server or remote PC open AD Users and Computers
  • Create a new Group and give it a name easly identified.
  • Now put the users who you don’t want a group policy applying to.
AD Users and Computers - Excluded users Group
AD Users and Computers – Excluded users Group

 

  • Open Group Policy Management and select the GP object that you want to apply an exception on.
  • Now then click on the “Delegation” tab and then click on the “Advanced” button.

1

 

  • Click on the “Add” button and select the group that you want to exclude from having this policy applied.

In this example I am excluding the “GPExcludeTest” group for this policy.

  • Select this group in the “Group or user names” list and then scroll down the permission and tick the “Deny” option against the “Apply Group Policy” permission.
Select "Deny" under Apply group policy
Select “Deny” under Apply group policy

So now all members of my “GPExcludeTest” security group will not have this group policy applied.

 

Leave a Reply

Your email address will not be published. Required fields are marked *