How to exclude a Group Policy Object (GPO) to users or a security group

A common question in forums about Group Policy Objects is how to exclude (deny) a GPO for certain users or a security group. However, there are multiple other ways to have the GPO only apply to certain users (link only to certain OUs, security filtering, item-level targeting, etc), the method shown in this post should only be used as a last resort.

071615_1306_Howtoexclud1

First open Group Policy Management from the Server Manager Tools or Administrative Tools.

071615_1306_Howtoexclud2

Select the GPO that need some exclusions and open the Delegation tab.

071615_1306_Howtoexclud3

Click on Advanced…

071615_1306_Howtoexclud4

Click on Add…

071615_1306_Howtoexclud5

Select the Active Directory objects for which to create an exclusion, after checking the names click on OK.

071615_1306_Howtoexclud6

Select each object and set Apply group policy to Deny. Keep the Read permission on Allow. After everything is set, click on OK.

When you set Read permissions on Deny and the administrator or similar account get a read deny on the GPO, maybe by become a member of a security group, you can’t edit the GPO easily anymore.

071615_1306_Howtoexclud7

You’ll get a Windows Security warning about setting a deny permission. If you understand this and i.e. don’t need to fix security groups and want to continue click on Yes.

071615_1306_Howtoexclud8

In this example the GPO – Screensaver will not apply anymore for John Doe and the members of the security group SG_Executives.

You can use all kinds of Active Directory objects to exclude from GPO, also think about computers.

  • moustachio

    very helpful, thanks

  • Antonio Bello

    how can I exclude a single Computer?

  • Numan Can

    Hi Btanko,thanks for your article.I have question about GPO.we have many computers in different OU.we want to make gpo for these computers without moving one OU.How can I make this?