While working with Group Policy, many times we come to a situation when we’ve to exclude specific clients/machines from a setting. Creating a separate group for excluded clients is not perfect solution for this scenario. You can make use of Delegation tab for a Group Policy Object (GPO) to exclude clients or machines.

In this article, we’ll see how you can apply GPO to only the users or computers you want. To exclude rest of targets in your organization, you can apply the relevant process as described below. Before you delve into this method, you must ensure that elements you want to exclude should be member of your organization. For example, if you want exclude Test User account, this account should already be created.

Exclude Individual Users Or Computers From A Group Policy Object

To illustrate this process, I’ll be excluding a Test User account in this example. I’ve already created this Test User account. I’ve shown this example for a client but you can follow similar process for excluding a machine.

1. Open Group Policy Management by running gpmc.msc command.

2. In Group Policy Management window, locate the GPO object you want to exclude and in the corresponding right pane, click on Delegation. Then click on Advanced button.

Exclude Individual Users Or Computers From A Group Policy Object

3. Next in the Security Settings window, click on Add button.

Exclude Individual Users Or Computers From A Group Policy Object

4. Then in next window, type the user you want to exclude and click Check Names. If you’re not sure about exact user name, click on Advanced and then perform search for the user and add it here. Once you listed the user, click on OK.

Exclude Individual Users Or Computers From A Group Policy Object

5. Now back in Security Settings window, select the user you’ve added in previous step. Then under Permissions, scroll down and locate Apply group policy and make a check mark for Deny. Click Apply, OK.

Exclude Individual Users Or Computers From A Group Policy Object

6. In the confirmation prompt appearing next, click Yes.

Exclude Individual Users Or Computers From A Group Policy Object

7. Finally, you should have that user applied custom permissions for the GPO. This means that user is now excluded from GPO.

Exclude Individual Users Or Computers From A Group Policy Object

You can now close GP Management window. The settings will be applied once GP engine is updated.

That’s it!

6 Comments

Add your comment

  • Thankachan Lonappan

    Thanks for the info. Do you know how to do this in Server 2019. I couldn’t find the option in 2019 policy. Thanks

  • Kapil Arya

    ^^ These steps are already illustrated on Server 2019. Please recheck on your system.

  • Naveen

    What about the allow section….. Should read have allow checked ?

  • Kapil Arya

    ^^ It’s upto you Naveen 😎

  • T Kay

    Thank you for clear instructions. Can this be done to deny the policy for a local non-domain user on endpoint pc’s? I have local users on some operational computers whose software requires local user account with customized permissions and I dont want certain GPO’s messing with them. I have workaround in place, but your method would be ideal as I can deny at the very moment that I create the policy.

  • Kapil Arya

    ^^ Well, you can try and see if it works. I’ve not tested it that way, so can’t comment.

  • Leave a Reply

    Your email address will not be published. Required fields are marked *