Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Guides on creating group policy exclusions and filters

Posted on 2017-10-19
High Priority
Last Modified: 2017-10-25
Up until now most all of the group policies I have created have been assigned to all authenticated users.

I'm now looking for guides and references on how to create group policy exclusions within Server 2016 so certain users or computers can be excluded from certain group policies.

Please provide me with references and guides on how to do this.
Question by:Knowledgeable
LVL 18

Assisted Solution

by:Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security Officer
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security Officer earned 1500 total points
ID: 42337523
So, think of Group Policies as like folder permissions.  That Is the best way I can describe it.

So, by default, Authenticated Users get a new policy that is created. Lets say that this policy I create is a screen saver policy, but I only want users in the Sales Group to have it.  I could go into the Scope of the policy and Add the Sales group to the Security Filtering and take out Authenticated users.  Thus, the policy will only be applied to the Sales Group.  This is probably the simplest explanation I can give.

A great reference for group policy is by Jeremy Moskowitz, Group Policy.

Here is a good video. The author is a little hard to understand sometimes, but he explains it very well.

LVL 81

Accepted Solution

arnold earned 1500 total points
ID: 42337756
Adding to Steve's comment using security filtering, you could also use WMI filters.
Since you mention exclusionary, you would potentially still have authenticated_users in the security filter, and use WMI filters to exclude application of the GPO based on either a computer or user parameter.....

You could under the security tab add a security group and deny it rights to view the GPO under delegation, advanced you can deny a user or a security group rights. note this way of managing/controlling access might not be easily determinable down the line. compared to the security filter and wmi filter.

ref WMI FILTER https://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/


Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits …
The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question