I have a scenario that is turning out to be problematic. We want to roll out a new password policy to the entire company but want to exclude a group of users in Active Directory from this policy.
We have the security tab of the policy set to deny this group policy to this AD group but since the password settings are part of the computer configuration of a Group Policy, this deny permission has no effect - in other words, it would only deny settings in the user part of a Group Policy since that is processed at login time, not computer start-up time.
Loopback processing can't be used because it is designed to ensure the computer settings stay the same regardless of the user who logs in.
In short - we want to deny the computer settings of a Group Policy to an AD user group.
Thanks in advance.