Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Group Policies / Exclude a Specific User or Computer from Group Policy

March 16, 2025

Exclude a Specific User or Computer from Group Policy

There are several ways to prevent certain Group Policy Object (GPO) settings from being applied to specific users and/or computers in Active Directory:

  • Use GPO security filtering to control which AD objects can apply the policy (the easiest and most convenient option)
  • Filtering the scope of the GPO using WMI filters
  • Item-Level Targeting exceptions in Group Policy. This only applies to GPO settings configured through Group Policy Preferences.

Let’s consider a scenario where you need to prevent a Group Policy that configures Windows Update settings from applying to a specific computer. In this example, all computers are located in an OU called Workstations, to which the gpo_WSUS_workstations GPO has been assigned.

First, create a separate security group in AD (gpo_WSUS_workstations_excl) and add the computers or user accounts that you want to exclude from the Group Policy Object scope.

Create an AD group for GPO exclusion

  1. Open the domain Group Policy management console (gpmc.msc)
  2. Select the required GPO, go to the Delegation tab, and click the Add button.
    How to exclude a specific user or group from GPO
  3. By default, the GPO applies to all AD objects (Authenticated Users group)
  4. Enter the name of the group, user, or computer that you want to exclude from the Group Policy
  5. Click the Advanced button and set the Deny for Apply Group Policy permission
    Deny for 'Apply Group Policy' permission for a specific AD group
  6. This will prevent these Group Policy settings from being applied to any of the AD objects in the specified group. Deny permissions take precedence over allow permissions. Therefore, even though the Authenticated Users group is allowed to apply the policy, the Deny permission takes higher priority.

Update the GPO settings on the client (preferably reboot the computer to refresh AD group membership). Next, open a command prompt and generate a report of the applied GPOs by running the following command:

gpresult /r

This report shows that the WSUS policy was not applied to this computer because security settings are preventing it:

The following GPOs were not applied because they were filtered out
WSUS_workstations
Filtering: Denied (Security)

gpresult: Filtering: Denied (Security)

To add another computer to the exclusions of this GPO, simply add its account to the gpo_WSUS_workstations_excl group and reboot the computer.

The downside of this method for creating exceptions for the GPO is that the administrator must manually add or remove users/computers from the group that needs to be excluded from the policy. If you want users or computers to be automatically added/removed from the policy scope based on some dynamic attributes, you can use the AD dynamic groups concept or the WMI GPO filters.

The idea behind a WMI filter is to create a WQL query to define which objects the policy applies to. For example, you might want the policy to exclude computers with the keyword ‘adm‘ in their hostname. This can be achieved by using the following WMI query:

SELECT * FROM Win32_ComputerSystem WHERE NOT (Name LIKE '%adm%')

Create this WMI filter in the GPMC console and link it to the GPO.

WMI Filter to exclude AD user/computer/group from a GPO

Now, each computer will check the WMI query at startup, and if it doesn’t match, the policy will not be applied.

There is another way to create exceptions for specific users and computers in the GPO. If you are using GPO settings that are located in the Group Policy Preferences (GPP) section, you can make policy exceptions using Item-Level Targeting.

In the settings of any GPP item on the Common tab, you need to enable Item-level Targeting and configure IS-NOT rules to define exceptions for applying this GPO parameter. In this example, we have configured GPP exceptions for a specific AD group and computer.

Create exclusion rule in Group Policy Preferences using Item-Level Targeting

0 comment
6
Facebook Twitter Google + Pinterest
Active DirectoryGroup PoliciesWindows Server 2022
previous post
AD Domain Join: Computer Account Re-use Blocked
next post
How to Remove ‘Some Settings are Managed by Your Organization’ on Windows 11 or 10

Related Reading

Fix: Remote Desktop Licensing Mode is not Configured

August 24, 2023

Refresh AD Groups Membership without Reboot/Logoff

March 15, 2024

How to Find the Source of Account Lockouts...

March 12, 2024

How to Delete Old User Profiles in Windows

March 15, 2024

Configuring Windows Firewall Rules Using Group Policy

March 15, 2024

Allow Non-admin Users RDP Access to Windows Server

March 16, 2024

How to Allow Non-Admin User to Start/Stop Service...

March 15, 2024

How to Disable NTLM Authentication in Windows Domain

March 16, 2024

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Check Windows 11 Hardware Readiness with PowerShell Script
  • Extend an Expired User Password in Active Directory
  • Configure NTP Time Source for Active Directory Domain
  • AD Domain Join: Computer Account Re-use Blocked
  • Configure DNS Scavenging to Clean Up Stale DNS Records in AD
  • Collecting Windows and Active Directory Event Logs with Graylog
  • Error: The Specified Domain Doesn’t Exist or Couldn’t Be Contacted
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top