How to assign gpo to all computers except domain controller?

I have server 2008 R2. How to assign gpo to all workstations except domain controller?
I think I can use security filtering and WMI.. but not sure how to do it. Could you please show me an example?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You can apply the following WMI query to the GPO to select all computers except for DCs.

SELECT * FROM Win32_ComputerSystem Where DomainRole <> 4 AND DomainRole <> 5

You can also use a security filter and deny applying group poilcy to the Domain Controllers group.
okamonAuthor Commented:
>>You can also use a security filter and deny applying group poilcy to the Domain Controllers group

By default, the security policy is applied to Authenticated users. So how do I deny the domain controller? I don't see an option there....
okamonAuthor Commented:
is it something like this? I added the domain controllers in "security policy"
And then I went to delegation -> advanced -> and checked deny for all?

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

You don't want to deny all as it will cause policy errors. Please see the following article for properly denying the group.

Also note that if this GPO contains user settings then they can still apply on the domain controller if the user logging in has apply permissions.
Sushil SonawaneCommented:
Please refer below link to resolve your issue.


The domain controller computer reside the different OU (Domain controller). Link policy to computer OU and do not link on domain controller OU to resolve your issue.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
okamonAuthor Commented:
thanks. so I redid it again. this time I just added the DC server instead of domain controller gp and gave deny permission to group policy. Is it fine like this? and can you tell me what is the difference between this one and my previous one?

The GPO is computer gpo, nothing to do with user.

This will work, but if you add additional domain controllers they will apply the policy unless individually denied. I would stay with the group unless you have reason not to.

The main difference is that the domain controller can read the policy object and permissions, but will not apply the policy. This will help avoid unnecessary errors in the resultant set of policies.
First of all Domain controllers will be there in the domain controllers OU unless you moved them to different OU. So no issues of applying policy to other OU which contains the computer objects. just make sure all your DC computer objects are in domain controllers OU.
okamonAuthor Commented:
I still not sure what you my first screenshot. I applied to the domain controller GP, but I denied everything there. And in my second screenshot, I just added the domain controller computer and ONLY denied the "Apply group policy"

Did you mean it's better to use the domain controller GP instead of specifying the DC computer itself? And according to the article It says only to denied the "Apply group policy", not everything as in screenshot 1. Did you mean I will get errors in the resultant set of policies if I do like in my screenshot1?
If you are wanting to keep this policy from applying on domain controllers, then yes I'd say it would be better to use the group. This way if later on you add another domain controller you don't have to remember to add it separately.

Correct, deny only the "Apply group policy" so that it can still read the permissions and such.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.