Do you have a domain user that you do not want to have a GPO applied to? Easy – we have the guide for you!
This is one of those random requests that seems to come up from time to time – You have a Group Policy Object ( GPO ) that is being applied to an entire domain group but you want to exclude just a single ( or multiple ) users from that specific GPO. While this is a fairly simple task to complete, we at Your Digital Mind want to stress that this process should be used very sparingly and always should be done through a group membership instead of explicitly designating specific users.
This is two fold – one reason is to make the administrators life a little easier by not having to continually go through and update security filtering but also allows the group to be added to the policy once and then users added to the group, reducing the time required to maintain this function.
Open the Group Policy Object that you want to apply the exception to and then click on the “Delegation” tab. From this tab click the “Advanced” button at the bottom right of the window
Below the list of Group or user names, click on the “Add” button and select the group (recommended) that you want to use to exclude from having this policy applied
For this example we are using a group named “Users GPO Exceptions”. Select your group in the “Group or user names” list and then scroll down in the “Permissions” window and select the “Deny” option for “Apply Group Policy”
Select “Apply” then “OK” and close out the window
If you are applying this as an update to an active account, process a Group Policy Update and log into machine. Confirm that GPO is not being applied to user account
Now that you have created a “User GPO Exceptions” security group and changed the delegation of the GPO to deny the Group Policy from being applied users within this group will not have the exempted GPO applied to them. Having the security group vs explicit deny per user makes changes and administration much easier.