How to apply a Group Policy Object to individual users or computer

Last week I showed you how to exclude an individual users from having a Group Policy Object (GPO) applied and this time I will show you how to properly apply a GPO to an individual user or computer. As I previously mentioned it is always best to use a security groups with GPO filtering even if you are only going applying it to a single user or computer. This avoids ever have to go back and modify the GPO security filtering if you need to add more object to the policy in the future.

Note: Before I start I should point out a common mistake here is to remove “Authenticated Users” directory from the Security Filtering section on the Group Policy Object.

DONT DO THIS!!!

image

You should never do this as this however as this can cause “Inaccessible” (see image below) error messages on Group Policy Objects in the Group Policy Management Console for anyone who is not an Domain Administrator. This happens because you have removed the ability to for the user to read contents GPO but don’t worry this does not mean the policy will be applied to that user.

image

Step 1. Select the Group Policy Object in the Group Policy Management Console (GPMC) and the click on the “Delegation” tab and then click on the “Advanced” button.

image

Step 2. Select the “Authenticated Users” security group and then scroll down to the “Apply Group Policy” permission and un-tick the “Allow” security setting.

Note: That the “Allow” permission for “Read” still needs to remain ticked as this prevents the Inaccessible message as mentioned above.

image

Step 3. Now click on the “Add” button and select the group (recommended) that you want to have this policy apply. Then select the group (e.g. “Accounting Users”) and scroll the permission list down to the “Apply group policy” option and then tick the “Allow” permission.

image

This Group Policy will now only apply to users or computers that are a member of the Accounting Users security group. However you still need to remember that the user and/or computer still needs to located under the scope of the Group Policy Object for this policy to be applied.

22 Comments

  1. Pingback: Tweets that mention Group Policy Center » Blog Archive » How to apply a Group Policy Object to individual users or computer -- Topsy.com

  2. Pingback: Group Policy Center » Blog Archive » Best Practice: Group Policy Design Guidelines – Part 2

  3. I’ve done this with a specific computer (step 3), but the policy didn’t apply. Is this solution possible using a ‘User’ group policy and applying it to a specific computer?

  4. why is it better to create another security group, and assign users to them and fiddle with delegation?

    I am usually creating new OU (organization unit) and I will create a GPO on it. I will just add whoever I need to this OU.

    • Well, here is how I see it from my perspective, in an ideal world you are totally right about “I am usually creating new OU (organization unit) and I will create a GPO on it. I will just add whoever I need to this OU.”
      But
      there are times you want a policy to apply to many OUs and from experience this happens a lot AND user/computer can’t be in every OU but the security group can be.

  5. Thank you for posting this article. In Step 3 of the instructions, can I add a computer, instead of a group name? I am asking this because I do not want to create an other OU just for one computer, and all the computers (except for two) in the desired OU already have the software (MSO2013). I know I could manually install the software on this two PC, but the same thing is going happen when new PCs are added to other OU, so it would be nice to be able to apply the gpo to install the software on the single PC in existing OU.
    Thanks for your help.

    • Yes you could just add a computer…. but the point of using the group is that it makes it more discoverable if you look at the computer object group membership in AD.

  6. Great article, but what’s the point of letting Non-Domain Admins read (and use) GPMC? This is counter-productive, you give “regular” users just the necessary permissions and tools they need to work, you don’t want those curious ones wondering around your Environment let alone spending time in GPMC when that’s not even part of their work.

    If you need some Jr. Admin (Lets say HelpDesk) that doesn’t necessarily needs to be Domain Admin then just make a Sec. Group with those and Allow Read Permissions for those GPOs they might need.

    Nevertheless they can always use ” gpresult /h c:\gpresult.htm ” to get detailed information of the enforced GPOs for machines and users.

    Again, great article (good job) but don’t mislead readers and starter MS Shop Admins to non-Best Practices.

    =] /Peace-Out\

    • The point is that many local admins on workstations are not domain admins but they can install GPMC. In fact many GPO administrators are also non-domain admins as some companies explicitly delegate permissions but removing the “authenticated users” from the GPO will leave it in a “Inaccessable” error message. The very nature of AD is that almost every thing is readable by the computers / users… Blocking the ability to see what is in the group policy only puts up road blocks for the GPO admins as they cannot see what policies might be applied to other users/computers.

      What you are suggesting is to create a group that then grants “read” access to GPO after you have taken away read access…. That could work… but what would be the point? you are no more secure and now the setup is more complicated.

  7. Pingback: Admin Admin Podcast #006 – Summer Catchup | The Admin Admin Podcast

  8. Great post. Thanks a lot for this.
    I followed all your instructions, but only the user settings within the GPO will apply. I haven an additional question. Is it possible to apply one GPO to a user group and have both (user and computer) settings applied? Because a GPO always have a computer and a user part.

    Thanks in advance
    Lucky

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>