[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Deny a user GPO to a computer?

Posted on 2014-08-08
Medium Priority
Last Modified: 2014-08-19

I need to deny a user configuration policy to a specific computer. The policy is "Enable screen saver" and it is applied to authenticated users.

Is it possible to deny a user GPO to a computer? If so, how can it be achieved?

Question by:antonioking

Expert Comment

by:Thomas Marcussen
ID: 40248308
The Block Policy inheritance option is set only on domains, and organizational units, but not on individual Group Policy objects.

A solution could be to move the user to a OU without the linked policy or a OU where block inheritance is set

More information can be found here: http://technet.microsoft.com/en-us/library/cc757050%28v=ws.10%29.aspx#BKMK_block

Expert Comment

ID: 40248313
Thanks for your comment.

I forgot to mention, that I would like all users who log onto this machine to be denied the user policy.


Expert Comment

by:Thomas Marcussen
ID: 40248337

there is an example here on how to Prevent Group Policies from applying to Administrator accounts

Might be the solution your looking for http://support.microsoft.com/kb/816100 ?
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

LVL 23

Accepted Solution

rhandels earned 2000 total points
ID: 40248354

You can apply a user configuration to a user that logs into a specific computer
You need to assign the user policy to the OU where the computer is in and make sure to enable Loopback processing. This feature enables you to assign user policies on a computer OU.

The setting you need to set is
Computer Configuration --> Policies --> Administrative Templates --> System --> Group policy --> User group policy loopback processing mode.

Author Comment

ID: 40268092
So the solution would be to change the GPO with the screensaver setting that is applying to a User OU and apply it to a computer OU with loopback processing mode on.
I could then put the computers I want to exclude from the rule in a Group and deny the GPO to that group.
LVL 23

Expert Comment

ID: 40268563
Yup, that kinda sums it up.. Or just move those machines to a different OU that doesn't have the policy applied.
You would have the same soluiton though but normally i don't suggest an explicit deny for a computer group on an OU just for maintenance that is. Technically it would be the same.

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
In this article, I’ll show how research, determination, and use of modern technology helped me solve a DNA mystery.
Saved searches can save you time by quickly referencing commonly searched terms on any topic. Whether you are looking for questions you can answer or hoping to learn about a specific issue, a saved search can help you get the most out of your time o…
Where to go on the main page to find the job listings. How to apply to a job that you are interested in from the list that is featured on our Careers page.
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question