Deny a user GPO to a computer?

Posted on 2014-08-08
Last Modified: 2014-08-19

I need to deny a user configuration policy to a specific computer. The policy is "Enable screen saver" and it is applied to authenticated users.

Is it possible to deny a user GPO to a computer? If so, how can it be achieved?

Question by:antonioking

    Expert Comment

    by:Thomas Marcussen
    The Block Policy inheritance option is set only on domains, and organizational units, but not on individual Group Policy objects.

    A solution could be to move the user to a OU without the linked policy or a OU where block inheritance is set

    More information can be found here:

    Expert Comment

    Thanks for your comment.

    I forgot to mention, that I would like all users who log onto this machine to be denied the user policy.


    Expert Comment

    by:Thomas Marcussen

    there is an example here on how to Prevent Group Policies from applying to Administrator accounts

    Might be the solution your looking for ?
    LVL 23

    Accepted Solution


    You can apply a user configuration to a user that logs into a specific computer
    You need to assign the user policy to the OU where the computer is in and make sure to enable Loopback processing. This feature enables you to assign user policies on a computer OU.

    The setting you need to set is
    Computer Configuration --> Policies --> Administrative Templates --> System --> Group policy --> User group policy loopback processing mode.

    Author Comment

    So the solution would be to change the GPO with the screensaver setting that is applying to a User OU and apply it to a computer OU with loopback processing mode on.
    I could then put the computers I want to exclude from the rule in a Group and deny the GPO to that group.
    LVL 23

    Expert Comment

    Yup, that kinda sums it up.. Or just move those machines to a different OU that doesn't have the policy applied.
    You would have the same soluiton though but normally i don't suggest an explicit deny for a computer group on an OU just for maintenance that is. Technically it would be the same.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Stuck in voice control mode on your Amazon Firestick?  Here is how to turn it off!!!
    With the shift in today’s hiring climate (, many companies are choosing to hire freelancers to get projects completed efficiently and inexpensively…
    The Bounty Board allows you to request an article or video on any technical topic, or fulfill a bounty request to earn points. Watch this video to learn how to use the Bounty Board to get the content you want, earn points, and browse submitted bount…
    Notifications on Experts Exchange help you keep track of your activity and updates in one place. Watch this video to learn how to use them on the site to quickly access the content that matters to you.

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now