Exclude One Computer from GPO

Exclude One Computer from GPO KB ID 0001852

Problem

You have a requirement that you want one computer (or a group of computers) NOT to have a specific GPO applied. If that is the case, then this is how to simply achieve that goal

Note: The same procedure can be used to Exclude a GPO from one user (or a group of users).

Solution : Exclude One Computer from GPO

Let’s find the computer in question, in my case it’s called PNL-ZERTO-2022, take a note of which OU it is in.

From the Group Policy Management console (on a DC or another machine that has the management tools installed) Locate that OU, you can see that there are some GPOs directly linked to that OU, but to see all the GPOs affecting that OU you need to go to the ‘Group Policy Inheritance’ tab.

On the computer itself i can run gpresult /r and it will show me all the COMPUTER GPOs that are being applied. For this exercise I want to stop the policy called CP-Wireless-Policy applying to this machine.

Back in our Group Policy Management Console locate the GPO in question then under Security Filtering > Add > Add in the computer object (remember computers is not selected by default so you may need to tick the box).

Delegation Tab > Select the computer > Advanced > Select the computer > Tick to DENY full control > Apply > Yes > OK.

Exclude One Computer from GPO : Testing

Before you leave the Group Policy Management console, you can simply create a group policy modelling element that tests the policy you want NOT to be applied, has been Denied.

On your client machine, after a reboot, or a force of group policy, running gpresult /r should show the the CP-Wireless-Policy is no longer being applied.

Exclude one Computer from GPO (GPP)

If you are deploying GPP group policy preferences, then you can also use Item-Level Targeting, and then set the targeting to the computer-name-IS-NOT (so that it applies to all other computer names.

Related Articles, References, Credits, or External Links

NA

Group Policy: Item-Level Targeting

KB ID 0001654

Problem

Yesterday I wrote a post about Deploying a ‘Mapped’ Drive to a couple of users using Group Policy. This received a comment that was basically ‘Why not simply use Client Targeting?’ To be fair that’s a good point, I was using a Group Policy Preference and they can be specifically targeted. So here’s how to do that.

Solution

If you do not already have one, create a group for your users.

Add the users, (as appropriate).

On a Domain Controller > Administrative Groups > Locate the OU that contains your users (Note: if your users are in multiple OU’s, then after you have created the policy simply ‘Link‘ it to the applicable OUs).

Edit the policy.

User Configuration > Preferences > Windows Settings > Drive Maps > New  > Mapped Drive > Action = Create > Location = Set the UNC path to the mapped drive > Tick ‘reconnect’ > Label as ‘What you want the user to see it called’ > Select the drive letter you want.

Common tab > Select Item-level targeting  > Targeting > New Item.

Security Group. (Look at all the other cool stuff you can specify to target this group policy preference!)

Add in your security group > OK > OK > Apply > OK

Then either wait, or force a group policy update.

To prove it’s not all ‘Smoke and Mirrors‘, I log on as one of those users and…

Related Articles, References, Credits, or External Links

NA