When we create organizational units and I want to apply GPOs to objects contained in them (for example users or computers), I have realized that if we do not want to apply the policy to special users (Help desk users, admistrators, etc) when they log in that computers (to complete maintenance tasks) it is necessary to use GPO filtering to avoid it. that force to create a group with same objects that are contained in that OU to APPLY and READ checkboxes only for that group. We remove authenticated users of the list. In that way when an IT user log in he has not problem with the computer. I don´t understand very well this. We have to create the same groups with the users or computer which are incluided in the container? . Is that correct ?. Is it a good idea and practice to deny APPLY and READ GPOs for these special groups of administrators ?