Step 1. Open the Group Policy Object that you want to apply an exception and then click on the â€œDelegationâ€ tab and then click on the â€œAdvancedâ€ button.
Step 2. Click on the â€œAddâ€ button and select the group (recommended) that you want to exclude from having this policy applied.
Step 3. In this example I am excluding the â€œUsers GPO Exceptionsâ€ group for this policy. Select this group in the â€œGroup or user namesâ€ list and then scroll down the permission and tick the â€œDenyâ€ option against the â€œApply Group Policyâ€ permission.
Now any members of this â€œUser GPO Exceptionsâ€ security group will not have this Group Policy Object applied. Having a security group to control this exception makes it much easier to control as someone only needs to modify the group membership of the group to makes changes to who (or what) get the policy applied. This makes the delegation of this task to level 1 or level 2 support much more practical as you donâ€™t need to grant them permission to the Group Policy Objects.