Exclude One Computer from GPO

Exclude One Computer from GPO KB ID 0001852


You have a requirement that you want one computer (or a group of computers) NOT to have a specific GPO applied. If that is the case, then this is how to simply achieve that goal

Note: The same procedure can be used to Exclude a GPO from one user (or a group of users).

Solution : Exclude One Computer from GPO

Let’s find the computer in question, in my case it’s called PNL-ZERTO-2022, take a note of which OU it is in.

Locate Computer in OU

From the Group Policy Management console (on a DC or another machine that has the management tools installed) Locate that OU, you can see that there are some GPOs directly linked to that OU, but to see all the GPOs affecting that OU you need to go to the ‘Group Policy Inheritance’ tab.

See All GPOs Applied to a computer

On the computer itself i can run gpresult /r and it will show me all the COMPUTER GPOs that are being applied. For this exercise I want to stop the policy called CP-Wireless-Policy applying to this machine.

show which GPOs are being applied

Back in our Group Policy Management Console locate the GPO in question then under Security Filtering > Add > Add in the computer object (remember computers is not selected by default so you may need to tick the box).

Delegation Tab > Select the computer > Advanced > Select the computer > Tick to DENY full control > Apply > Yes > OK.

Exclude One Computer from GPO : Testing

Before you leave the Group Policy Management console, you can simply create a group policy modelling element that tests the policy you want NOT to be applied, has been Denied.

Exclude one Computer form GPO Modeling

On your client machine, after a reboot, or a force of group policy, running gpresult /r should show the the CP-Wireless-Policy is no longer being applied.

Exclude one Computer from GPO

Exclude one Computer from GPO (GPP)

If you are deploying GPP group policy preferences, then you can also use Item-Level Targeting, and then set the targeting to the computer-name-IS-NOT (so that it applies to all other computer names.

Exclufe one computer form GPO GPP

Related Articles, References, Credits, or External Links


Author: PeteLong

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *