Guides on creating group policy exclusions and filters

Up until now most all of the group policies I have created have been assigned to all authenticated users.

I'm now looking for guides and references on how to create group policy exclusions within Server 2016 so certain users or computers can be excluded from certain group policies.

Please provide me with references and guides on how to do this.
IT GuyNetwork EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
So, think of Group Policies as like folder permissions.  That Is the best way I can describe it.

So, by default, Authenticated Users get a new policy that is created. Lets say that this policy I create is a screen saver policy, but I only want users in the Sales Group to have it.  I could go into the Scope of the policy and Add the Sales group to the Security Filtering and take out Authenticated users.  Thus, the policy will only be applied to the Sales Group.  This is probably the simplest explanation I can give.

A great reference for group policy is by Jeremy Moskowitz, Group Policy.

Here is a good video. The author is a little hard to understand sometimes, but he explains it very well.
Adding to Steve's comment using security filtering, you could also use WMI filters.
Since you mention exclusionary, you would potentially still have authenticated_users in the security filter, and use WMI filters to exclude application of the GPO based on either a computer or user parameter.....

You could under the security tab add a security group and deny it rights to view the GPO under delegation, advanced you can deny a user or a security group rights. note this way of managing/controlling access might not be easily determinable down the line. compared to the security filter and wmi filter.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.