How to block GPO on a single computer in an OU, in W2k8?

There's a particular GPO I'd like to block on a single PC in an OU.  How to perform this?  Thanks.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joseph MoodyBlogger and wearer of all hats.Commented:
On the GPO, select delegation- advanced. Add the computer. Check allow Read - Deny Apply Group Policy.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LB1234Author Commented:
If it's a computer based policy, can I block it by adding the user instead?
Joseph MoodyBlogger and wearer of all hats.Commented:
No. If the GPO applies to a computer (the settings are under Computer Configuration), you can not block it by adding a user.
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

LB1234Author Commented:
Gotcha please look at the attached image. GPO pic
Even though this GPO functions properly, you'll notice that there are only user groups listed here, even though it's a computer GPO.  According to you, I would expect to see computers here not users.  Can you explain how I'm looking at this incorrectly?
Joseph MoodyBlogger and wearer of all hats.Commented:
The scoping includes authenticated users. This is a misleading group as it actually contains any object that authenticated - including computers.
LB1234Author Commented:
Ahh, I see.  Ok so I'll add the computer, run GPupdate, and we should be set.  Will let you know soon. Thanks.
Will SzymkowskiSenior Solution ArchitectCommented:
From my point of view using the "deny" is not a wise practice. It would be more desirable to set your Security Filtering accordingly. So rather than using "Authenticated Users" you would create a new Security Group (add your users/computers) to this group and add the group to Security Filtering. Then from there when you want to add/remove users/computers from this policy you just remove them from the group.

Will Deny work, yes but if you have other scenarios where you want to do the same thing, it will get messy using the Dent for each individual object.

Will SzymkowskiSenior Solution ArchitectCommented:
Ahh posted too late.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.