In a Group Policy within an Active Directory infrastructure, there may be times when you need to exclude a user or user group. This could be necessary due to specific application or system settings. Sometime I seen administrators create separate OU and move users there just to get user exclude from particular group policy. It is not necessary to create new OU to exclude users from GPO. In this post I am going to demonstrate how you can exclude a user or group from a GPO.
Editing Group Policy
1) Log in to a server with administrator privileges (it can be DC server or a server with group policy management feature installed on). I am using windows server 2016 TP5 DC for the demo.
2) Open the GPO mmc with server manager > tools > group policy management
3) Then expand the tree and go to the group policy that you like to exclude users or group. In my demo it’s going to be GP called Test1
4) Click on the selected GPO and in right hand panel it will list the settings. Click on delegation tab.
5) Then click on the Advanced button
6) In window, click on add to add the user or the group that you like to exclude
7) Then in the permission list, you can see by default Read permission is allowed. Leave it same and scroll down the list to select permission called Apply group policy. Then click on deny permission.
8) Then click on OK to apply the changes. In warning message click on Yes. Now we successfully exclude user2 from the Test1 GPO.
Hope this post informative and if you got any questions feel free to contact me on rebeladm@live.com
More info – https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/group-policy/group-policy-overview
