How to exclude individual users or computers from a Group Policy Object



One of the common question I see on the forums from time to time is how to exclude a user and/or a computer from having a Group Policy Object (GPO) applied. This is a relatively straight forward process however I should stress this should be used sparingly and should always be done via group membership to avoid the administrative overhead of having to constantly update the security filtering on the GPO.

Step 1. Open the Group Policy Object that you want to apply an exception and then click on the “Delegation” tab and then click on the “Advanced” button.

image

Step 2. Click on the “Add” button and select the group (recommended) that you want to exclude from having this policy applied.

image

Step 3. In this example I am excluding the “Users GPO Exceptions” group for this policy. Select this group in the “Group or user names” list and then scroll down the permission and tick the “Deny” option against the “Apply Group Policy” permission.

image

Now any members of this “User GPO Exceptions” security group will not have this Group Policy Object applied. Having a security group to control this exception makes it much easier to control as someone only needs to modify the group membership of the group to makes changes to who (or what) get the policy applied. This makes the delegation of this task to level 1 or level 2 support much more practical as you don’t need to grant them permission to the Group Policy Objects.

Author: Alan Burchill

Microsoft MVP (Group Policy)

69 thoughts on “How to exclude individual users or computers from a Group Policy Object

  1. This will exclude certain users from one policy applied to all computers. What if you have two specific policy applied to two areas of computers? Example… we have a flash screensaver to apply to all users desktops and we have a 3do built in screensaver to apply to service computers. When a regular (flesh and blood) user logs on to a certain computer that resides in the service computer OU, the policy applied to their regular account gets applied to the service computer. We want to exclude this from happening.

    1. If it is a user setting that you want to apply to specific computers but you want to also make an exception then you can use a Loopback policy and then do the same “Deny” “Apply Group Policy” permission.

  2. Hi Alan,

    Thanks for a great blog and a great article ; I have a AD Domain (Server 2008 x64 BIT DC) with a Server 2003 32BIT Print Server, all of our servers (ONLY 64 BIT ONES) are getting Event ID 4098 related to a Epson Printer driver. They were getting the same warning for a Brother printer too, but I was able to successfully upload the 64BIT Brother driver and it disappeared and now only appears for Epson C4200.

    I want to exclude all our servers to get printers via GPO, now we have one GPO of Default Domain Policy which is deploying the two printers, the servers aren’t in a group rather the default group of “computers” in AD users and computers snap-in.

    If I follow the above instructions of getting to the default domain policy (GPO), click on Advanced and then add the Computer Accounts of different servers and tick the “Deny” option against the “Apply Group Policy” permission ; that should work – but that means that the default domain policy will not apply to the servers then ?

    I only want to exclude the printer deployment settings from this GPO, we have Exchange 2007 running too so don’t really want to disturb settings to make it unhappy 🙂

    Will be grateful if you could assist via your comments.

    Kind Regards

  3. Hi Alan,

    Thanks for your prompt response and a great suggestion ; I have done what you mentioned by :

    Gpedit, selected “Default Domain Policy” object > Right click > Edit Object

    User configurtaion > preferences > control panel settings > Printers

    I then selected one of our printers, right click > Properties > Common (tab) > checked “Item level Targetting” and click on the “Targetting” button

    In the Target Item Editor, I selected “New Item” by “computer name > inputted my own computer name at work (to test)” in “Item Options” – I selected “is not”

    So, it means that the GPO will not apply to my computer name for that printer ?
    or
    Shall i select “is” ?

    My user account is a domain admin and I am logged on to my machine at the moment – I edited the gpo “default domain policy” on the server itself (rdp).

    I have ran a gpupdate /force on my computer but the printer still shows under “Device and printers” (using windows 7), tried restarting it too.

    I just want to make sure that these two printers doesn’t get deployed on logon or in anyother ways to those servers as then we have all sorts of event ids 4098 etc etc related to printer problems.

    I am really grateful for your help and support
    Kind Regards

    The action for that printer is “Create”

  4. If you want to target it to just one computer then select “IS” and you only select specific comptuer names …
    If you want to select multiple computers then use an “OR is” for each subsequest entries….

    1. Hi Alan,

      I read through the entire post and must say a big thank’s to you for guiding all of us here and i appreciate you for your hard work here.

      Alan, I am referring to the discussion of rihatum scenario and i want to say that i am very much into the similar kind of scenario but the difference is that i cannot see any printer’s in User configurtaion > preferences > control panel settings > Printers or computer configurtaion > preferences > control panel settings > Printers.
      The reason is that we have one printer server and we have printer’s listed under printer connections in default domain policy and these setting’s are linked up with the printer management in our separate printer server.
      So now again the question is how i can exclude some server’s to not have this printer connections setting’s applied ..
      Please guide to solve this issue.

      Thank’s in advance

  5. I also recommend that you DONT do this in the default domain policy… create a new policy and target it to just the computers that you want to apply the policy… Maybe a seperate OU just to be absoutley sure

  6. Hi Alan,

    Once again, Thanks so much for your great articles and suggestions.

    Basically, because that printer is in “Default Domain Policy” it gets or tries to get installed / deployed on all Domain computers including servers.

    I wanted to “Exclude the Servers”. Which I think I did via “is not” and was seeking assurance from you whether that is the right setting or not.

    To clear my concept : Basically,

    a) if there is a setting in a GPO we don’t want to be applied to ONE or more computer, we select the computer name(s) and select “is not” in GPO Item Targetting editor?

    b) If there is a setting in a GPO we want to be applied to everyone, we leave it as it is (provided its configured properly)

    c) If there is a setting in a GPO for many computers and we want that specific setting to be applied to just ONE computer we select “is” with the computer name in targetting editor.

    Sorry to have been bothering you on here, I could have emailed you a screenshot if required.

    Thanks so much for your assistance.
    Rihatum

  7. I understand your senario and it sounds REALY BAD… dont ever deploy printer using the Default domain policy… EVER!!!!

    Create a “Servers” Organisational Unit and a “Workstations” Organisational Unit and create a “Users” OU… move all your server accounts into the servers OU and workstations into the workstations OU and move all your standard non-admin users into the “Users” OU…

    Then create a “Users” group policy and link it to the “Users” OU. That way your printers will only be deployed they should only map on your workstations… as you normal non-admin users should never logon to a server….

    This article is really only intended for handling exceptional cases… I BEG YOU TO NEVER MAP PRINTERS VIA THE DEFAULT DOMAIN POLICY… THIS IS SO BAD!!!!!

  8. Hi Alan,
    I am having a problem with this denial right to a GPO – the issue is that I have a Computer based GPO that needs to be denied for some users and applied for others. Now I have setup the relevant global security groups and under the Delegation -> Advanced tab denied the GPO to the one and applied it to the other. After refreshing the relevant PCs and logging in with the test users I find that all the Computer GPOs are been applied to the users, including the ones been denied.

    Any tips?

    1. Same issues here…anything we need to do to “Authenticated” user group?
      …since ‘everyone’ is going to be authenticated user and have the policy applied.

  9. I’ve done exactly this, but I’ve run into an odd issue.

    I’ve got a GPO setup and applied that reboots all the workstations (via scheduled task through Group Policy Prefs) at 4:00am. I have a list of machines (about 30-35 of them) that are a ‘Do Not Reboot’ group. This group is filtered out.. so far so good.

    Except 2 machines on that list still get the GPO and still reboot nightly at 4:00am. And for the life of me I can’t figure out why. I’ve checked logs (maybe I wasn’t checking the right ones, but all seems well) checked the domain, including domain replication.. all checks out fine.

    The only thing that’s different about these 2 computers is that they were added to the ‘Do Not Reboot’ group 4-5 days later than the other machines on the list, they were late additions. But I added them the same way (and have removed them and re-added them again, just to make sure) but its still happening. Any ideas?

  10. i dont understand how this is labeled “…users or computers…” when the example shows a user and not a computer. its kind of like answering half a question…

    i have my tmg server connected to my dc in my small tiny lan… i created a policy for users and put the tmg computer in an OU which i called “TMGou”.

    the problem is this: the GroupPolicy i created which i called “user-settings” has some things for computer preferences. the problem is the TMG box is getting those settings applied to it even though in the OU (TMGou) the user-settings is NOT linked … i want to exclude the TMG box from getting the settings the users get.

  11. I have windows server 2003 AD, running 2008 schema. i setup a policy to block write to cd/dvd drives, and USB drives. i set a group to exclude am list of users from this policy, but all the W7 pcs are applying it anyway. XP, and 2K machines are honoring the exclude.

    Please help!!!

  12. gpresult shows the policy “is” applied… i figured it out late yesterday, i was looking for the option “remove cd burning options” and realized i had applied the policy to computer, not user…
    These options, unlike some others appear in both places in the tree..
    cd/dvd– read/write/execute
    usb removable media– read/write/execute
    i had setup the exclusion based on ad user, not computer… =| DOH!!!

    Thanks for your reply

  13. Thanks for your guideline.
    I have done settings as per above settings. But there is required some time to apply this settings in network users.
    I have done also gpupdate /force. But its till no work.
    Pls help

    Ajay

  14. We are working on applying the “remove ad users from local admin group ” and “add desktop admin group” GPO to computers. The issue is ,

    1. there are many machines though in the domain, local administrators login to these in labs. This GPO is not getting applied.

    2. There are exceptions , where specific lab systems need to excluded where AD user Logs, however same user also uses other machines which need to included in GPO. Using authenticated users is not helping

    Need some suggestions.

  15. Hi alan is this technique will apply on password policy? i need to exclude my account and other AD administrator on password policy. because of the comflicter

  16. Alan,

    I’m not sure if you are still monitoring this post since it’s quite old. But my question is:

    I have one computer on the domain that I don’t want gp pushed down to. We push windows update settings via GP and I want one users computer to not be force to install updates. I want that user/computer to be able to install the updates when they want to and to not have it forced. I did your steps above. I added the user and also his computer to the delegation. Both the users AD account and his computer have the “Apply group policy” permission set to deny but the windows update settings are still be pushed to the user’s laptop. What am I missing?

    1. I would run “gpresult /h %userprofile%\desktop\report.html” as a local admin and take a look at why windows update setting is still being applied and what policy is setting it…

    2. The report says what’s below. Interesting as I thought the directions in this blog post and what I did for the user/computer would override the default domain policy. I must be wrong.

      Windows Components/Windows Update
      Policy Setting Winning GPO
      Allow Automatic Updates immediate installation Enabled Default Domain Policy
      Configure Automatic Updates Enabled Default Domain Policy

      Configure automatic updating: 4 – Auto download and schedule the install
      The following settings are only required
      and applicable if 4 is selected.
      Scheduled install day: 0 – Every day
      Scheduled install time: 03:00
      Policy Setting Winning GPO
      Turn on recommended updates via Automatic Updates Enabled Default Domain Policy

  17. You have the setting in the Default Domain Policy… this is a very bad thing. You should not be configuring this in default domain policy. I would remove the setting out of this policy and put it in a new policy linked at the top of the domain as well…. THEN… filter this new policy for the Windows Update settings…

  18. OK, I have a question. My server (2003) has the Group Policy applied, at least in part, to the Administrator! How do I make sure that the Administrator has No Group Policies. Example: On the sever I want to make sure the screen saver goes to password protect when the screen saver comes on. The check mark is greyed out. I changed the policy to ENABLE for that then did the gpupdate on the server. The option did not change. I tried to change the Group Policy for the Administrator to DENY and that did not change it either. What am I missing?

  19. HI,

    I try to add 5 Computers to the Sec Group and add the deny to that group but still screen saver policy aplied to those pc’s?

    AS

    1. You’ve only denied from being reapplied. Don’t you need to create another policy now to undo what was initially applied?

  20. Reboot the computer to make sure the user (or computer) membership of the excluded Active Directory Group is activated !

  21. Hello,

    Thank you for informative article.
    I have to rebooted server from excluded security group, to apply settings.
    Is it a way to apply it without reboot?

    Thank you

  22. Good day I am so excited I found your web site, I really found you by error, while I was browsing on Digg for something else, Regardless I am here now and would just like to say
    kudos for a remarkable post and a all round entertaining blog (I also
    love the theme/design), I don’t have time to read it
    all at the minute but I have bookmarked it and also included your RSS feeds, so when I have time I will be back to read more, Please do keep up the superb job.

  23. Alan, what performance impact is one likely to see when processing hundreds of GPO objects which are filtered to a group? For example in a flat structure where all computer accounts are in single OU but there are maybe 100+ policies linked to this OU, each filtered by a security group containing computer objects…

    Thanks

    1. From a performance point of view applying 100+ GPO’s can slow things down a lot if you have slow network links. However unless you are using a VPN of Direct Access that is not normally a problem however. What you need to be carefull of is what you are setting in the GPO and if that action is somehting that can slow it down.

      I would also HIGHLY recommend applying some sort of OU structure and applying the GPO to that structure… maybe not for all.. but for at least 90% of the GPO settings…

  24. Thanks Alan, of those 100+ only 1 or 2 would actually apply to the machine and all would be for printer deployment so your looking at a couple applying and the rest being skipped via security filtering. I am interested in the delay in processing the objects which are NOT going to apply. e.g. what impact does the checking ACLs and group membership have.

  25. i have windows server 2008r2, i configured the folder redirection ( desktop , Mydocument ) group policy for particular OU. but problem is while configured the outlook in user’s machine, .PST file saved in documents only,
    only outlook data is not Synchronising from user’s machine to server , can you help me

  26. Hi. Thanks! but this works only if user is a local administrator of the computer. If is not, this not work.

    Any workaround?

    Regards

  27. In 2012 environment. Can we deny a user when policy is enforced. Please advise and share a article if possible as we are currently facing same issue.

  28. Hi Alan,

    I have an another interesting turn of events with an exclusion of a GPO.

    I have a win 2008 functional level with GPO that sets user config preferences for network printers. it updates 4 network printers with 1 as default.
    The problem is I have certain users with personal printers on their desk so I want to exclude them. Naturally I have created a global security group, added members and then configured the delegation and checked the deny permission to apply GPO. unfortunately it is not working and the GPO still applies to those members of the group.

    The strange thing is, if I add an individual user to the delegation and deny them, it works without a problem. What would stop a group from working as an exclusion? it seems only logical that this should work as I just have to add members to it for simplicity sake.

    Thanks

  29. One thing that I can’t see mentioned here that is certainly not easy to answer.
    How to exclude a particular Computer from a User policy. You can’t simple deny the machine as mentioned here. It doesn’t work. I found that I needed to use WMI Filtering. I’m sure we have all seen the box at the bottom of the Group Policy Management Screen.

    The syntax of this filtering is a bit strange and I don’t pretend to understand it.
    I used this in the query dialog box when excluding more than one machine.

    select * from Win32_ComputerSystem where not (Name = “MACHINENAME1” or name = “MACHINENAME2”)

    Obviously just put your machine names inside the quotes.
    I found this useful when I don’t want a user policy to apply when an admin user is logging on to a server for example.

    Hope this helps someone else..
    David

  30. I have a GPO with u Computer configuration settings and User configuration settings including loop back processing – Replace.

    I have only computers in the OU where this GPO is applied.

    Under Delegations I have a group of users where I selected Deny for Apply group policy.

    The Users and Group of users do not have GPO’s applied (besides the standard Default Domain Policy).

    When I logon with a user in the group mentioned above, computer configuration settings are applied.

    I was expecting that all policies would not apply. What am I missing here?

    Thanks in advance

  31. Thank you boss, really it helped resolving loopback(merge mode) problem that I faced with one of my favourite resetting due to user logon script configured for the user.

  32. Hi Alan,

    I want to exclude members of a security group from applying group policy.
    The policy is applied at Domain level with security filtering for ‘Authenticated users’.

    When I deny a single user in delegation tab, it works perfectly but it is unable to apply on a security group. FYI, I have that group placed at root of domain so that it applies to all users.

    What am I missing here?

  33. Hi All,

    I found the solution after a little troubleshooting, the GP was not picking up the sec group membership and I had to manually delete the GP cache files on client machine and it worked!

    Thanks,
    Praman Deep singh

  34. Hello house,
    Please I want to deploy a gpo that would handle log hour restrictions, this log hour restrictions is based on two hours per everyday for users irrespective when they login, How can I do that.
    Thank you!

  35. Hello house,
    I want to deploy a gpo that would handle log hour restrictions, this log hour restrictions is based on two hours per everyday for users irrespective of the time they have login, how can i deploy this dpo for the users.
    Thank you !!
    From: Innocent Anyaegbu.

  36. Change the local user’s group policy by running gpedit.msc. This will require administrator login, but once credentials are entered the local GPO will override any other GPO’s on the domain.

Leave a Reply