How to apply a Group Policy Object to individual users or computer

Last week I showed you how to exclude an individual users from having a Group Policy Object (GPO) applied and this time I will show you how to properly apply a GPO to an individual user or computer. As I previously mentioned it is always best to use a security groups with GPO filtering even if you are only going applying it to a single user or computer. This avoids ever have to go back and modify the GPO security filtering if you need to add more object to the policy in the future.

Note: Before I start I should point out a common mistake here is to remove “Authenticated Users” directory from the Security Filtering section on the Group Policy Object.



You should never do this as this however as this can cause “Inaccessible” (see image below) error messages on Group Policy Objects in the Group Policy Management Console for anyone who is not an Domain Administrator. This happens because you have removed the ability to for the user to read contents GPO but don’t worry this does not mean the policy will be applied to that user.


Step 1. Select the Group Policy Object in the Group Policy Management Console (GPMC) and the click on the “Delegation” tab and then click on the “Advanced” button.


Step 2. Select the “Authenticated Users” security group and then scroll down to the “Apply Group Policy” permission and un-tick the “Allow” security setting.

Note: That the “Allow” permission for “Read” still needs to remain ticked as this prevents the Inaccessible message as mentioned above.


Step 3. Now click on the “Add” button and select the group (recommended) that you want to have this policy apply. Then select the group (e.g. “Accounting Users”) and scroll the permission list down to the “Apply group policy” option and then tick the “Allow” permission.


This Group Policy will now only apply to users or computers that are a member of the Accounting Users security group. However you still need to remember that the user and/or computer still needs to located under the scope of the Group Policy Object for this policy to be applied.


  1. Pingback: Tweets that mention Group Policy Center » Blog Archive » How to apply a Group Policy Object to individual users or computer --

  2. Pingback: Group Policy Center » Blog Archive » Best Practice: Group Policy Design Guidelines – Part 2

  3. I’ve done this with a specific computer (step 3), but the policy didn’t apply. Is this solution possible using a ‘User’ group policy and applying it to a specific computer?

  4. why is it better to create another security group, and assign users to them and fiddle with delegation?

    I am usually creating new OU (organization unit) and I will create a GPO on it. I will just add whoever I need to this OU.

    • Well, here is how I see it from my perspective, in an ideal world you are totally right about “I am usually creating new OU (organization unit) and I will create a GPO on it. I will just add whoever I need to this OU.”
      there are times you want a policy to apply to many OUs and from experience this happens a lot AND user/computer can’t be in every OU but the security group can be.

  5. Thank you for posting this article. In Step 3 of the instructions, can I add a computer, instead of a group name? I am asking this because I do not want to create an other OU just for one computer, and all the computers (except for two) in the desired OU already have the software (MSO2013). I know I could manually install the software on this two PC, but the same thing is going happen when new PCs are added to other OU, so it would be nice to be able to apply the gpo to install the software on the single PC in existing OU.
    Thanks for your help.

    • Yes you could just add a computer…. but the point of using the group is that it makes it more discoverable if you look at the computer object group membership in AD.

  6. Great article, but what’s the point of letting Non-Domain Admins read (and use) GPMC? This is counter-productive, you give “regular” users just the necessary permissions and tools they need to work, you don’t want those curious ones wondering around your Environment let alone spending time in GPMC when that’s not even part of their work.

    If you need some Jr. Admin (Lets say HelpDesk) that doesn’t necessarily needs to be Domain Admin then just make a Sec. Group with those and Allow Read Permissions for those GPOs they might need.

    Nevertheless they can always use ” gpresult /h c:\gpresult.htm ” to get detailed information of the enforced GPOs for machines and users.

    Again, great article (good job) but don’t mislead readers and starter MS Shop Admins to non-Best Practices.

    =] /Peace-Out\

    • The point is that many local admins on workstations are not domain admins but they can install GPMC. In fact many GPO administrators are also non-domain admins as some companies explicitly delegate permissions but removing the “authenticated users” from the GPO will leave it in a “Inaccessable” error message. The very nature of AD is that almost every thing is readable by the computers / users… Blocking the ability to see what is in the group policy only puts up road blocks for the GPO admins as they cannot see what policies might be applied to other users/computers.

      What you are suggesting is to create a group that then grants “read” access to GPO after you have taken away read access…. That could work… but what would be the point? you are no more secure and now the setup is more complicated.

  7. Pingback: Admin Admin Podcast #006 – Summer Catchup | The Admin Admin Podcast

  8. Great post. Thanks a lot for this.
    I followed all your instructions, but only the user settings within the GPO will apply. I haven an additional question. Is it possible to apply one GPO to a user group and have both (user and computer) settings applied? Because a GPO always have a computer and a user part.

    Thanks in advance

  9. Thanks for taking the time and effort to write this, as a blogger myself I know it take energy to produce these docs.
    However just as Lucky and Brandon pointed out this does not work for computers ONLY for users.
    I have tried the exact steps many times with a Group which has computers inside of it and non of the computers will receive the policy.

  10. Hi Alan
    We applied this in our network but all the users are getting the policy rather than what we set it to be targeting one security group.
    Can you please advice what is missing? would patching and hotfixes not being applied be a good start?

  11. I have applied a GPO to enforce enableing screen savers and also setting it to be password protected. Set it up as shown in this article and gpresult /r shows it’s applied on the computer level but not on the user level. That said I don’t see the changes being applied. Way I’m setup (small home network):

    1. Created a new OU under my domain in Group Policy Management
    2. Dragged the GPO onto the newly created OU
    3. Went into Active Directory Users and Computers
    4. Moved the computer I want the screen saver applied to from “Computers” to the newly created OU

    When the person logs in shows as above but no screen saver. Do I have to set something else up specifically for this policy to be applied to a specific user? I read something about enabling group policy loopback processing but not sure if that is relevant to a user. Thought that is when you want to apply a user based policy across the whole computer or something.



  12. Hi ,

    I havev multiple OU’s every OU contains few users. We are migrated our exchange, Now what be want user from Any OU, Who have been migrated to new exchange can’t Import, Export or create PST. For That i have created a Group policy, Now i created one security group, Add that group into Group policy’s delegated assign read & apply group policy permission. Later add few users in that group from different different OU’s , User are still able to import & export the PST. note : same policy is working fine on OU but not on security group.
    Please let me know which step i am missing.

Leave a Reply

Your email address will not be published.