We help IT Professionals succeed at work.

How do I restrict a certain computer from receiving a Group Policy?

In the Delegation tab of a GP in the Group Policy Management console you can restrict certain user accounts from receiving a GP by setting their account with a DENY Read permission.  However doing the same with a computer account doesn't work to prevent that account from receiving the GPO.

Is there a way to block certain computer accounts in any regard other than setting up blocking inheritance with OUs?  WMI perhaps?  I'd prefer not to do the method of separate OUs and blocked inheritance, that would be a bit messy.
Comment
Watch Question

Joseph MoodyBlogger and wearer of all hats.
CERTIFIED EXPERT

Commented:
Go to advance (in delegation tab) and select deny "Apply group policy"
Commented:
Make a group of computers & then Deny GP, it's mentioned as Apply Group Policy. You simply check Deny there, restart the computer & you are set.
hirenvmajithiyaManager (System Administration)

Commented:
Use WMI filter with ComputerName field.
ZenVenkyArchitect

Commented:
Add this computer to one newly created OU and change this option as per your requirement "Access this computer from the network" you can find it in GPMC... Default Domain Controller Group Policy object

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Most Valuable Expert 2011

Commented:
I use Ackles method except I flip it around the other way.  I create a security group that has almost the same name as the GPO (my way of self documenting) then I add the PC Account to the group if I WANT it to use the GPO,...then any machine not in the group does use the GPO.   Most of my GPOs are NOT based on the OU something is in,...I have found that to be too inflexible,...so I do most of them via Security Groups.

Lets say I have a GPO called "Windows Firewall Settings",...I then create a security group called "GPO Windows Firewall Settings".   I prefix all of them with "GPO" so when I add a machine to them I can type "GPO" in the dialog box and it shows me only those groups to pick from.  Now don't get me wrong,...the OUs are also factored in,...but by themselves they are too inflexible.

Commented:
See there is no Right or Wrong, what suits you Best is what matters.
Just keep two things in mind, be descriptive & document what you do.


A
Most Valuable Expert 2011

Commented:
Never ever modify your Default Policies.  There are two,...Default Domain Policy,...and Default Domain Controllers Policy.  Those are your safety net,...they are your way back to a normal world if things go bad.  If you totally screw something up with a GPO you can remove or unlink the GPO and the Default Policies will put you back to a somewhat normal state,...or at least a functioning state.   The only exception to that is that with 2003 and older Domains the Password Policies must be in the Default Domain Policy,...they won't work right elsewhere.

So,...always create NEW GPOs to make policy changes,...name them according to their purpose as a way of self documenting.   Group your settings into the properly named GPO that they would logically be associated with.

But don't go to extremes there either.  Too many individual policies can be bad too and can hurt performance.  "Balance" is everything.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.