A common question in forums about Group Policy Objects is how to exclude (deny) a GPO for certain users or a security group. However, there are multiple other ways to have the GPO only apply to certain users (link only to certain OUs, security filtering, item-level targeting, etc), the method shown in this post should only be used as a last resort.
First open Group Policy Management from the Server Manager Tools or Administrative Tools.
Select the GPO that need some exclusions and open the Delegation tab.
Click on Advanced…
Click on Add…
Select the Active Directory objects for which to create an exclusion, after checking the names click on OK.
Select each object and set Apply group policy to Deny. Keep the Read permission on Allow. After everything is set, click on OK.
When you set Read permissions on Deny and the administrator or similar account get a read deny on the GPO, maybe by become a member of a security group, you can’t edit the GPO easily anymore.
You’ll get a Windows Security warning about setting a deny permission. If you understand this and i.e. don’t need to fix security groups and want to continue click on Yes.
In this example the GPO – Screensaver will not apply anymore for John Doe and the members of the security group SG_Executives.
You can use all kinds of Active Directory objects to exclude from GPO, also think about computers.
Comments