How do I edit a single user in Active Directory Group Policy

Posted on 2010-01-07
Last Modified: 2012-05-08
I have a group policy witch applys to all domain users, but now I need to edit that policy for a single user on my domain and not sure to do that.
Question by:PalaConstruction
    LVL 35

    Expert Comment

    by:Joseph Daly
    You would want to add that user in security filtering. In GPMC select the GPO you want and go to the delegation tab. Click advanced and then add the user you want to block. Then check the boxes for deny read and apply group policy.
    LVL 26

    Expert Comment


    Using the GPMC (
    Change the Security Filtering on that GPO from authenticated Users to only that one user.
    That's it.
    LVL 19

    Accepted Solution

    Do you mean, change the policy but for only 1 person? So all the others get the same settings as before, but this 1 user is different?

    That isn't possible, but you can instead just create a new policy with the desired settings for the single user, and use security filtering to ensure this user is the only person it can apply to.

    If you just don't want the policy to apply for that user, you can again use security filtering on the existing policy to block it from applying to that user.

    Security Filtering is found within GPMC - Click on the policy object, then on the right hand side click the 'Delegation' tab, then select 'Advanced' button in the bottom right corner.

    Then just add the user account, and DENY both read and apply rights.

    If you need to create a new policy, just ensure that ONLY this particular has both read and apply rights. Remove the authenticated users group, and you should be good to go.

    If you're not sure on any part of that, just let me know with a bit more detail on what you're trying to achieve, and I'll try to explain it a little better...


    LVL 28

    Expert Comment

    The easiest way is probably to make a new OU parallell with the one with the rest of the users and put the "special" user in that OU. Then make the tailored GPO on this OU.

    You can also make a sub-OU in the existing OU if you want to apply the GPO to the special user and then add additional settings in another GPO for the sub-OU only.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    The saying goes a bad carpenter blames his tools. In the Directory Services world a bad system administrator, well, even with the best tools they’re probably not going to become an all star.  However for the system admin who is willing to spend a li…
    As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now