We have a GPO (User Configuration) that applies to all desktop PC's in a specific OU. I would like to know if it is possible to DENY the GPO (User Configuration) to a specific membership group of AD computers. eg. laptop AD objects. (A group made up of laptops) Not a group of users themselves. I am not sure if this is possible as my understanding of computer and user configurations are separate?