PowerShell Script that Excludes a Group of Users from a GPO


Would anyone know of a way to prevent a GPO from applying to a specified group or an OU using PowerShell (maybe even using WQL)?  We are looking to create a script to add to our automated server build script.

I know that you can accomplish denying GPOs to groups through the GUI in the Group Policy Management Console.

1. Open GPMC
2. Go to the GPO
3. Select the Delegations tab
4. Add the group
5. Click on the Advanced button below
6. Check "Apply group policy" in the "Deny" column

Is there a way to do this through PowerShell?  So far I have not found any cmdlets that can help.  If not PowerShell, is there a way to script this some other way?

I appreciate the help in advance.  Thanks!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSr Solutions ArchitectCommented:
The set-gpopermission cmdlet can do it https://technet.microsoft.com/en-us/library/hh967451%28v=wps.630%29.aspx

But it's only available in Server 2012 or newer.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AmitIT ArchitectCommented:
One way is to keep user in separate OU. Where you can apply the policy.
Will SzymkowskiSenior Solution ArchitectCommented:
Its not a good practice to use the "Deny" on anything. However, on the GPO that is applying permissions reather than use Authenticated Users add all of the REQUIRED users/computers to a Security Group and then use that group for Security Filtering rather than Authenticated Users.

This would resolve your issues trying to block specific machines. Just don't add those machines to the new Security Group you create.

emag50Author Commented:
I appreciate the suggestions.  However, my main goal is to automate this task by creating a SCRIPT since we have many servers and many environments.  I already have the GPO I need to use scripted and part of the auto build with the help of acbrown2010 in a previous post.  Thanks again sir.

Now I need a way to prevent this GPO from applying to a specific group.

Without PowerShell I know there are multiple ways to do this through the GUI.  You can:

1. Open up GPMC and add the target group under "Delegation," selecting the Advanced button, then checking off "Apply group policy" under the Deny column.
2. Create a separate OU for just these groups and link the GPO to the OU (As Will suggested).
3. Create a WMI filter that excludes a specified group. WMI filter I created  

I'm not sure if this is the best or easiest way about doing this but I believe I can script this in PowerShell to create the WMI filter shown above and linking it to the desired GPO using the proper cmdlets.  What do you guys think?  Again, ideally i'd like to make some kind of PS1 script out of this so that I can use it in all/new environments.
emag50Author Commented:
We will be upgrading all our environments to server 2012 r2 in the near future.  So when this transition happens i'll be able to utilize the new cmdlets that have more functionality with GPO permissions as suggested by acbrown2010.  Thanks guys.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.