Step-By-Step: Excluding Users or Usergroups from Group Policy

Sometimes excluding a user or user group from a group policy is needed to appease an application setting or system setting. I've seen administrators create separate OU and move users there to exclude said user from the particular group policy. This is not necessary. This post will demonstrate how you can exclude a user or group from a GPO to avoid the extra work.

1)    Log in to a server with administrator privileges (it can be DC server or a server with group policy management feature installed on). I am using windows server 2016 TP5 DC for the demo.
2)    Open the Group policy mmc with server manager > tools > group policy management gpe1

3)    Then expand the tree and go to the group policy that you like to exclude users or group. In my demo it’s going to be GP called Test1 gpe2

4)    Click on the selected GPO and in right hand panel it will list the settings. Click on delegation tab.

gpe3

5)    Then click on the Advanced button

gpe4

6)    In window, click on add to add the user or the group that you like to exclude

gpe5 gpe6

7)    Then in the permission list, you can see by default Read permission is allowed. Leave it same and scroll down the list to select permission called Apply group policy. Then click on deny permission.

gpe7

8)    Then click on OK to apply the changes. In warning message click on Yes. Now we successfully exclude user2 from the Test1 GPO.

gpe8 gpe9