Active DirectoryMicrosoft TechnologiesWindows Server

Step-by-Step Guide to exclude user or user group from group policy

In a Group Policy within an Active Directory infrastructure, there may be times when you need to exclude a user or user group. This could be necessary due to specific application or system settings. Sometime I seen administrators create separate OU and move users there just to get user exclude from particular group policy. It is not necessary to create new OU to exclude users from GPO. In this post I am going to demonstrate how you can exclude a user or group from a GPO.

Editing Group Policy

1)    Log in to a server with administrator privileges (it can be DC server or a server with group policy management feature installed on). I am using windows server 2016 TP5 DC for the demo.
2)    Open the GPO mmc with server manager > tools > group policy management

opening Group Policy management console

3)    Then expand the tree and go to the group policy that you like to exclude users or group. In my demo it’s going to be GP called Test1

Group Policy management console

4)    Click on the selected GPO and in right hand panel it will list the settings. Click on delegation tab.

Group Policy delegation

5)    Then click on the Advanced button

Group Policy delegation window

6)    In window, click on add to add the user or the group that you like to exclude

add users to the group

selecting target user

7)    Then in the permission list, you can see by default Read permission is allowed. Leave it same and scroll down the list to select permission called Apply group policy. Then click on deny permission.

adjusting permission

8)    Then click on OK to apply the changes. In warning message click on Yes. Now we successfully exclude user2 from the Test1 GPO.

information window

review permissions

Hope this post informative and if you got any questions feel free to contact me on rebeladm@live.com

More info – https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/group-policy/group-policy-overview

Related posts
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide : Process Entra ID Entitlement Management Access Package on-behalf of another user (preview)

Entra ID Entitlement Management access packages enable administrators to offer a self-service…
Read more
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide: Configure Entra ID lifecycle workflow to trigger mover task on user profile changes

The Entra ID lifecycle workflow is a feature of Microsoft Entra ID identity governance and Microsoft…
Read more
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide: How to setup Entra ID Restricted management Administrative Units ?

In my previous blog post, I discussed what Entra ID Administrative Units are and how they can be…
Read more
Newsletter
Become a Trendsetter

Sign up and get the best of RebelAdmin, tailored for you.

Leave a Reply

Your email address will not be published. Required fields are marked *