I Need To Make A Change With My IT Support! Call (225) 706-8414

Exclude a Computer or User from a GPO

You have an Active Directory GPO that impacts several computers or users, and you need to exclude a computer or user from being impacted by the GPO.

Solution

This can certainly be done. Note that this should always be done via AD groups and not by directly working with computer and user entries–otherwise, you’ll cause a long-term nightmare in terms of AD management.

For this example, I’ll be using a Windows 2003 DC.

First and foremost, create an AD group to control all of this. In our example, we’re going to exclude certain users from having a screensaver GPO applied to them. This is for a kiosk where we want anybody to be able to walk up to the PC, clock into work, clock out of work, etc. So, we created an AD group named No_Screensaver_Users and included several Users in that AD group. We could just as easily have added several Computers to that group if we wanted to impact a Computer GPO.

Second, you need to use the AD group within the GPO to enable the exemption.

  1. Start GPMC.
  2. Locate the GPO in which the exception should be placed (e.g., if you want to exclude a user from having a screen saver lock auto-enabled, then you would go to the GPO that applies the screen saver lock). Single-click on the GPO.
  3. Click on the Delegation tab for the GPO.
  4. Click on Add, which is at the bottom of the Delegation window.
  5. Enter the name of the AD group. In our example, the AD group is No_Screensaver_Users. So select the AD group and click Ok to return to the Delegation window. You should now see the AD group show up in the Groups and Users in the Delegation window. By default, the AD group will have Read access to the GPO.
  6. Next, we’ll edit that AD group’s rights so that the Apply Group Policy right is DENY. See how that works? We’ll deny any user in that AD group from having the right to apply this GPO, which creates the exclusion. To do this, click on Advanced in the far bottom-right portion of the window.
  7. The Security Settings for the GPO will appear.
  8. Click on the No_Screensaver_Users group and then change the Read from Allow to Deny.
  9. Click Ok.
At this point you are good to go, although it may require a user to logout/login or a computer reboot on the target systems.
The trick when doing this is determining if you want it to be done at the Computer or User level. For the screen lock, the Computer level can work, but often the User level will work better. Also, always be sure you aren’t reproducing work. It’s not uncommon for another sysadmin to have already done this for you, but to have used a slightly different AD group name (e.g., Disable Screen Lock vs. No_Screensaver_Users).

Concerned About Cyber Attacks?

CLICK HERE >

Want to Migrate to the Cloud?

CLICK HERE >
Office 365

Ready to Experience Microsoft Office 365?

Want the latest IT news directly in your inbox? Subscribe now!