Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Exclude a specific machine from a group policy

Posted on 2007-10-15
Medium Priority
Last Modified: 2011-08-18
We have a group policy object which we want to apply to all machines within an OU except one.  Is there a way (using WMI filters or Deletation or something) to exclude that one specific machine?

We do not want to create a separate OU for that one machine.
Question by:mrichmon

Assisted Solution

cpottercpotter earned 180 total points
ID: 20082363
You can just deny read access to the GPO for that one machine.
LVL 70

Accepted Solution

KCTS earned 195 total points
ID: 20082707
Just to expand on what cpottercpotter has said, the process by which you can do this is called group policy filtering and is detailed at http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/filter.mspx?mfr=true
LVL 30

Expert Comment

ID: 20084193
This is a common question - I refer you to the following solution from the PAQ: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_22864893.html
LVL 35

Author Comment

ID: 20086405
>>You can just deny read access to the GPO for that one machine.
That is what I remembered from a class a while ago, but I can't seem to find where to do it.  The article says to right click on the GP object and choose properties, but I don't have that option.

I remembered how to do it.
In the Delegation tab add the computer
Then Choose "Read" from the drop down as the default.  Click OK.
Select the machine from the list
Then click the advanced tab
Select "Deny" next to the "Apply Group Policy"

As a note I am pretty sure that selecting "Deny" for read would do the same thing.  They said in the class you can't apply a GPO that you can't read.

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Scripts are great for performing batch jobs against users, however sometimes the GUI is all you need.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question