Go Premium for a chance to win a PS4. Enter to Win


Guides on creating group policy exclusions and filters

Posted on 2017-10-19
High Priority
Last Modified: 2017-10-25
Up until now most all of the group policies I have created have been assigned to all authenticated users.

I'm now looking for guides and references on how to create group policy exclusions within Server 2016 so certain users or computers can be excluded from certain group policies.

Please provide me with references and guides on how to do this.
Question by:Knowledgeable
LVL 18

Assisted Solution

by:Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security Officer
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security Officer earned 1500 total points
ID: 42337523
So, think of Group Policies as like folder permissions.  That Is the best way I can describe it.

So, by default, Authenticated Users get a new policy that is created. Lets say that this policy I create is a screen saver policy, but I only want users in the Sales Group to have it.  I could go into the Scope of the policy and Add the Sales group to the Security Filtering and take out Authenticated users.  Thus, the policy will only be applied to the Sales Group.  This is probably the simplest explanation I can give.

A great reference for group policy is by Jeremy Moskowitz, Group Policy.

Here is a good video. The author is a little hard to understand sometimes, but he explains it very well.

LVL 80

Accepted Solution

arnold earned 1500 total points
ID: 42337756
Adding to Steve's comment using security filtering, you could also use WMI filters.
Since you mention exclusionary, you would potentially still have authenticated_users in the security filter, and use WMI filters to exclude application of the GPO based on either a computer or user parameter.....

You could under the security tab add a security group and deny it rights to view the GPO under delegation, advanced you can deny a user or a security group rights. note this way of managing/controlling access might not be easily determinable down the line. compared to the security filter and wmi filter.

ref WMI FILTER https://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/


Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know the reasons and solutions to move/import EDB to New Exchange Server. Also, find out how to recover an Exchange .edb file and to restore the file back.
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question