If you have a GPO applied on the computer level then you won't be able to exclude the user as you are applying computer settings and not user ones. However, you can exclude the computer from the GPO so that its settings will not be applied. If you would like to make the user a local administrator then you can exclude the computer from the GPO applying the Restricted Groups settings and then manually configure the local Administrators group membership. This posting is provided AS IS with no warranties or guarantees , and confers no rights. Ahmed MALEK My Website Link My Linkedin Profile My MVP Profile
While working with Group Policy, many times we come to a situation when we’ve to exclude specific clients/machines from a setting. Creating a separate group for excluded clients is not perfect solution for this scenario. You can make use of Delegation tab for a Group Policy Object (GPO) to exclude clients or machines. In this article, we’ll see how you can apply GPO to only the users or computers you want. To exclude rest of targets in your organization, you can apply the relevant process as described below. Before you delve into this method, you must ensure that elements you want to exclude should be member of your organization. For example, if you want exclude Test User account, this account should already be created. To illustrate this process, I’ll be excluding a Test User account in this example. I’ve already created this Test User account. I’ve shown this example for a client but you can follow similar process for excluding a machine. 1. Open Group Policy Management by running gpmc.msc command. 2. In Group Policy Management window, locate the GPO object you want to exclude and in the corresponding right pane, click on Delegation. Then click on Advanced button.  3. Next in the Security Settings window, click on Add button. 4. Then in next window, type the user you want to exclude and click Check Names. If you’re not sure about exact user name, click on Advanced and then perform search for the user and add it here. Once you listed the user, click on OK. 5. Now back in Security Settings window, select the user you’ve added in previous step. Then under Permissions, scroll down and locate Apply group policy and make a check mark for Deny. Click Apply, OK. 6. In the confirmation prompt appearing next, click Yes. 7. Finally, you should have that user applied custom permissions for the GPO. This means that user is now excluded from GPO. You can now close GP Management window. The settings will be applied once GP engine is updated. That’s it! Usually, when group policy is applied, it is applied for all the computers or user groups or all the users. There are no exceptions. However, if you want to exclude individual Users or Computers from a Group Policy Object (GPO), then there is a method. It will allow you to exclude a single user or computer. Before we start, this works on a Windows 10 computer that is part of the domain. It means you cannot apply this to computers you are using at home. Exclude Individual Users or Computers from Group Policy Object
Open Command Prompt by typing cmd in the Run prompt (Win +R) and launch it using Ctrl+Shift+Enter. It will open a command prompt with admin permission. Next, type gpupdate, and press the Enter key to execute the command. It will instantly apply the change across the computer with the exception made. That’s about it. I hope the post was easy to follow, and you were able to exclude individual Users Or Computers From A Group Policy Object. Make sure you group people whenever possible else, it will be difficult to remember and manage them. Related Read: How to apply Group Policy to Non-administrators only
You have created Group Policy with some settings/restrictions but you want to exclude user or computer from applying policy. In this example I`ll show you how to exclude computer from Group Policy, but same procedure can be done for users. We`ll be excluding computer from Windows Update GPO which I demonstrated how to create here – https://www.informaticar.net/?p=2058 !!! It is recommended to create new GPO for every setting/restriction. If you apply all your settings/restrictions into one GPO it will be very hard to administrate and manage. Let’s start tutorial I created group “NoUpdates” in Active Directory Users and Computers and added computer called SCSERVER to that group (same computer or user can be member of multiple groups in AD) Next stop is Group Policy Management | Group Policy Object I created for Windows Update settings is called – Windows_Update | choose Delegation tab |Choose Authenticated Users |click on Advanced button on right bottom of the screen Click on Add button Enter name of the group (or user/computer) that you want to exclude from GPO (I`ll choose NoUpdates group I created at the beginning of tutorial) |OK Choose group/user/computer you added and under Permissions tab for setting “Apply group policy” tick Deny |confirm with Apply |OK If you want to immediately check results enter command gpupdate /force into command prompt (you need to run it as administrator) of the computer that exclusion applies to. For some GPO settings that won`t be enough and you`ll have to restart computer. In my case – server had automatically scheduled updates installation After exclusion.. That’s it, exclusion for one computer or user or group works. Disclaimer |
How do you exclude a user or computer from a group policy object?
zusammenhängende Posts
Urheberrechte © © 2024 wiewird Inc.
