How to exclude individual users or computers from a Group Policy Object



One of the common question I see on the forums from time to time is how to exclude a user and/or a computer from having a Group Policy Object (GPO) applied. This is a relatively straight forward process however I should stress this should be used sparingly and should always be done via group membership to avoid the administrative overhead of having to constantly update the security filtering on the GPO.

Step 1. Open the Group Policy Object that you want to apply an exception and then click on the “Delegation” tab and then click on the “Advanced” button.

image

Step 2. Click on the “Add” button and select the group (recommended) that you want to exclude from having this policy applied.

image

Step 3. In this example I am excluding the “Users GPO Exceptions” group for this policy. Select this group in the “Group or user names” list and then scroll down the permission and tick the “Deny” option against the “Apply Group Policy” permission.

image 

Now any members of this “User GPO Exceptions” security group will not have this Group Policy Object applied. Having a security group to control this exception makes it much easier to control as someone only needs to modify the group membership of the group to makes changes to who (or what) get the policy applied. This makes the delegation of this task to level 1 or level 2 support much more practical as you don’t need to grant them permission to the Group Policy Objects.

44 Comments

  1. Pingback: Tweets that mention Group Policy Center » Blog Archive » How to exclude individual users or computers from a Group Policy Object -- Topsy.com

  2. This will exclude certain users from one policy applied to all computers. What if you have two specific policy applied to two areas of computers? Example… we have a flash screensaver to apply to all users desktops and we have a 3do built in screensaver to apply to service computers. When a regular (flesh and blood) user logs on to a certain computer that resides in the service computer OU, the policy applied to their regular account gets applied to the service computer. We want to exclude this from happening.

    • If it is a user setting that you want to apply to specific computers but you want to also make an exception then you can use a Loopback policy and then do the same “Deny” “Apply Group Policy” permission.

  3. Hi Alan,

    Thanks for a great blog and a great article ; I have a AD Domain (Server 2008 x64 BIT DC) with a Server 2003 32BIT Print Server, all of our servers (ONLY 64 BIT ONES) are getting Event ID 4098 related to a Epson Printer driver. They were getting the same warning for a Brother printer too, but I was able to successfully upload the 64BIT Brother driver and it disappeared and now only appears for Epson C4200.

    I want to exclude all our servers to get printers via GPO, now we have one GPO of Default Domain Policy which is deploying the two printers, the servers aren’t in a group rather the default group of “computers” in AD users and computers snap-in.

    If I follow the above instructions of getting to the default domain policy (GPO), click on Advanced and then add the Computer Accounts of different servers and tick the “Deny” option against the “Apply Group Policy” permission ; that should work – but that means that the default domain policy will not apply to the servers then ?

    I only want to exclude the printer deployment settings from this GPO, we have Exchange 2007 running too so don’t really want to disturb settings to make it unhappy :-)

    Will be grateful if you could assist via your comments.

    Kind Regards

  4. Hi Alan,

    Thanks for your prompt response and a great suggestion ; I have done what you mentioned by :

    Gpedit, selected “Default Domain Policy” object > Right click > Edit Object

    User configurtaion > preferences > control panel settings > Printers

    I then selected one of our printers, right click > Properties > Common (tab) > checked “Item level Targetting” and click on the “Targetting” button

    In the Target Item Editor, I selected “New Item” by “computer name > inputted my own computer name at work (to test)” in “Item Options” – I selected “is not”

    So, it means that the GPO will not apply to my computer name for that printer ?
    or
    Shall i select “is” ?

    My user account is a domain admin and I am logged on to my machine at the moment – I edited the gpo “default domain policy” on the server itself (rdp).

    I have ran a gpupdate /force on my computer but the printer still shows under “Device and printers” (using windows 7), tried restarting it too.

    I just want to make sure that these two printers doesn’t get deployed on logon or in anyother ways to those servers as then we have all sorts of event ids 4098 etc etc related to printer problems.

    I am really grateful for your help and support
    Kind Regards

    The action for that printer is “Create”

    • Hi Alan,

      I read through the entire post and must say a big thank’s to you for guiding all of us here and i appreciate you for your hard work here.

      Alan, I am referring to the discussion of rihatum scenario and i want to say that i am very much into the similar kind of scenario but the difference is that i cannot see any printer’s in User configurtaion > preferences > control panel settings > Printers or computer configurtaion > preferences > control panel settings > Printers.
      The reason is that we have one printer server and we have printer’s listed under printer connections in default domain policy and these setting’s are linked up with the printer management in our separate printer server.
      So now again the question is how i can exclude some server’s to not have this printer connections setting’s applied ..
      Please guide to solve this issue.

      Thank’s in advance

  5. Hi Alan,

    Once again, Thanks so much for your great articles and suggestions.

    Basically, because that printer is in “Default Domain Policy” it gets or tries to get installed / deployed on all Domain computers including servers.

    I wanted to “Exclude the Servers”. Which I think I did via “is not” and was seeking assurance from you whether that is the right setting or not.

    To clear my concept : Basically,

    a) if there is a setting in a GPO we don’t want to be applied to ONE or more computer, we select the computer name(s) and select “is not” in GPO Item Targetting editor?

    b) If there is a setting in a GPO we want to be applied to everyone, we leave it as it is (provided its configured properly)

    c) If there is a setting in a GPO for many computers and we want that specific setting to be applied to just ONE computer we select “is” with the computer name in targetting editor.

    Sorry to have been bothering you on here, I could have emailed you a screenshot if required.

    Thanks so much for your assistance.
    Rihatum

  6. I understand your senario and it sounds REALY BAD… dont ever deploy printer using the Default domain policy… EVER!!!!

    Create a “Servers” Organisational Unit and a “Workstations” Organisational Unit and create a “Users” OU… move all your server accounts into the servers OU and workstations into the workstations OU and move all your standard non-admin users into the “Users” OU…

    Then create a “Users” group policy and link it to the “Users” OU. That way your printers will only be deployed they should only map on your workstations… as you normal non-admin users should never logon to a server….

    This article is really only intended for handling exceptional cases… I BEG YOU TO NEVER MAP PRINTERS VIA THE DEFAULT DOMAIN POLICY… THIS IS SO BAD!!!!!

  7. Hi Alan,
    I am having a problem with this denial right to a GPO – the issue is that I have a Computer based GPO that needs to be denied for some users and applied for others. Now I have setup the relevant global security groups and under the Delegation -> Advanced tab denied the GPO to the one and applied it to the other. After refreshing the relevant PCs and logging in with the test users I find that all the Computer GPOs are been applied to the users, including the ones been denied.

    Any tips?

    • Same issues here…anything we need to do to “Authenticated” user group?
      …since ‘everyone’ is going to be authenticated user and have the policy applied.

  8. I’ve done exactly this, but I’ve run into an odd issue.

    I’ve got a GPO setup and applied that reboots all the workstations (via scheduled task through Group Policy Prefs) at 4:00am. I have a list of machines (about 30-35 of them) that are a ‘Do Not Reboot’ group. This group is filtered out.. so far so good.

    Except 2 machines on that list still get the GPO and still reboot nightly at 4:00am. And for the life of me I can’t figure out why. I’ve checked logs (maybe I wasn’t checking the right ones, but all seems well) checked the domain, including domain replication.. all checks out fine.

    The only thing that’s different about these 2 computers is that they were added to the ‘Do Not Reboot’ group 4-5 days later than the other machines on the list, they were late additions. But I added them the same way (and have removed them and re-added them again, just to make sure) but its still happening. Any ideas?

  9. i dont understand how this is labeled “…users or computers…” when the example shows a user and not a computer. its kind of like answering half a question…

    i have my tmg server connected to my dc in my small tiny lan… i created a policy for users and put the tmg computer in an OU which i called “TMGou”.

    the problem is this: the GroupPolicy i created which i called “user-settings” has some things for computer preferences. the problem is the TMG box is getting those settings applied to it even though in the OU (TMGou) the user-settings is NOT linked … i want to exclude the TMG box from getting the settings the users get.

  10. I have windows server 2003 AD, running 2008 schema. i setup a policy to block write to cd/dvd drives, and USB drives. i set a group to exclude am list of users from this policy, but all the W7 pcs are applying it anyway. XP, and 2K machines are honoring the exclude.

    Please help!!!

  11. gpresult shows the policy “is” applied… i figured it out late yesterday, i was looking for the option “remove cd burning options” and realized i had applied the policy to computer, not user…
    These options, unlike some others appear in both places in the tree..
    cd/dvd– read/write/execute
    usb removable media– read/write/execute
    i had setup the exclusion based on ad user, not computer… =| DOH!!!

    Thanks for your reply

  12. Thanks for your guideline.
    I have done settings as per above settings. But there is required some time to apply this settings in network users.
    I have done also gpupdate /force. But its till no work.
    Pls help

    Ajay

  13. We are working on applying the “remove ad users from local admin group ” and “add desktop admin group” GPO to computers. The issue is ,

    1. there are many machines though in the domain, local administrators login to these in labs. This GPO is not getting applied.

    2. There are exceptions , where specific lab systems need to excluded where AD user Logs, however same user also uses other machines which need to included in GPO. Using authenticated users is not helping

    Need some suggestions.

  14. Alan,

    I’m not sure if you are still monitoring this post since it’s quite old. But my question is:

    I have one computer on the domain that I don’t want gp pushed down to. We push windows update settings via GP and I want one users computer to not be force to install updates. I want that user/computer to be able to install the updates when they want to and to not have it forced. I did your steps above. I added the user and also his computer to the delegation. Both the users AD account and his computer have the “Apply group policy” permission set to deny but the windows update settings are still be pushed to the user’s laptop. What am I missing?

    • I would run “gpresult /h %userprofile%\desktop\report.html” as a local admin and take a look at why windows update setting is still being applied and what policy is setting it…

    • The report says what’s below. Interesting as I thought the directions in this blog post and what I did for the user/computer would override the default domain policy. I must be wrong.

      Windows Components/Windows Update
      Policy Setting Winning GPO
      Allow Automatic Updates immediate installation Enabled Default Domain Policy
      Configure Automatic Updates Enabled Default Domain Policy

      Configure automatic updating: 4 – Auto download and schedule the install
      The following settings are only required
      and applicable if 4 is selected.
      Scheduled install day: 0 – Every day
      Scheduled install time: 03:00
      Policy Setting Winning GPO
      Turn on recommended updates via Automatic Updates Enabled Default Domain Policy

  15. You have the setting in the Default Domain Policy… this is a very bad thing. You should not be configuring this in default domain policy. I would remove the setting out of this policy and put it in a new policy linked at the top of the domain as well…. THEN… filter this new policy for the Windows Update settings…

  16. OK, I have a question. My server (2003) has the Group Policy applied, at least in part, to the Administrator! How do I make sure that the Administrator has No Group Policies. Example: On the sever I want to make sure the screen saver goes to password protect when the screen saver comes on. The check mark is greyed out. I changed the policy to ENABLE for that then did the gpupdate on the server. The option did not change. I tried to change the Group Policy for the Administrator to DENY and that did not change it either. What am I missing?

  17. Hello,

    Thank you for informative article.
    I have to rebooted server from excluded security group, to apply settings.
    Is it a way to apply it without reboot?

    Thank you

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>