Let’s say you have a group policy object that you are applying to a group of users. Maybe you have one user that is a member of this group that you would like to filter from receiving those group policy settings. For instance a client was using a global group that had restricted settings for the desktop, control panel, registry etc. However, there was one user they wanted to remain a member of this group however, not receive the custom group policy settings. This is easily accomplished with the group policy management console settings and “filtering” GPO settings. Microsoft allows for a very granular approach to group policy which allows us to pick and choose if we need which users receive or don’t receive policy settings.
Group Policy Management Console:
On a Windows 7 Enterprise workstation we have the RSAT tools loaded so the Group Policy Management Console is included there. Simply launch the console under your administrative tools or type gpmc.msc into a run menu.
After you have launched the group policy management console you need to navigate to the “Group Policy Objects” container from within the management console:
Click the policy you want to filter and notice on the right had side of the screen the tabs that become available to us for the particular policy: Scope, Details, Settings, Delegation
We want to choose the Delegation tab and then all the way on the bottom right hand corner, there is an Advanced… button. Click the Advanced button.
When we click the Advanced button, we get a Security dialog box that we are familiar with for assigning permssions. Here however, we want to add the user we don’t want to receive the settings and check the following permisssions: Deny – Read, Deny – Apply group policy as shown below:
Even if the user is a member of a group that receives the policy settings, the “deny” permissions trump the allow permissions, so it will effectively disregard the policy settings.
Group policy settings are are an effective way of restricting functionality for a user or group of users. However, if we want a user to be a member of a certain group while at the same time, prevent the user from receiving policy settings applied to the rest of the group, we can use the method described above to filter the group policy object to apply a granular set of settings for a particular user.