Do you have a domain user that you do not want to have a GPO applied to? Easy – we have the guide for you!

This is one of those random requests that seems to come up from time to time – You have a Group Policy Object ( GPO ) that is being applied to an entire domain group but you want to exclude just a single ( or multiple ) users from that specific GPO. While this is a fairly simple task to complete, we at Your Digital Mind want to stress that this process should be used very sparingly and always should be done through a group membership instead of explicitly designating specific users.

This is two fold – one reason is to make the administrators life a little easier by not having to continually go through and update security filtering but also allows the group to be added to the policy once and then users added to the group, reducing the time required to maintain this function.

Step 1

Open the Group Policy Object that you want to apply the exception to and then click on the “Delegation” tab. From this tab click the “Advanced” button at the bottom right of the window

Step 2

Below the list of Group or user names, click on the “Add” button and select the group (recommended) that you want to use to exclude from having this policy applied

Step 3

For this example we are using a group named “Users GPO Exceptions”. Select your group in the “Group or user names” list and then scroll down in the “Permissions” window and select the “Deny” option for “Apply Group Policy”

Step 4

Select “Apply” then “OK” and close out the window

Step 5

If you are applying this as an update to an active account, process a Group Policy Update and log into machine. Confirm that GPO is not being applied to user account

Now that you have created a “User GPO Exceptions” security group and changed the delegation of the GPO to deny the Group Policy from being applied users within this group will not have the exempted GPO applied to them. Having the security group vs explicit deny per user makes changes and administration much easier.

• About
• Latest Posts

David

I have been in the Information Technology industry for a little over a decade gaining a Bachelors degree in Information System Security and securing employment with various industries including Government, Financial, Healthcare, Corporate and the End User sectors.
I started Your Digital Mind in 2016as a way to share my love for Education, Technology and Science in an entertaining yet rewarding format. I hope you are learning and enjoying!

Latest posts by David (see all)

• iOS 16.4.1— Urgent Update Recommended - April 10, 2023
• SAML – What The Heck Is Security Assertion Markup Language? - April 6, 2023
• Employees Sharing Sensitive Business Data with ChatGPT Raises Security Concerns - March 30, 2023