Group Policy

Preventing a user from receiving group policy settings

Preventing a user from receiving group policy settings
Brandon LeeAugust 29, 2011Last Updated: January 11, 2021
2 minutes read
gpfilterfeat
gpfilterfeat

Let’s say you have a group policy object that you are applying to a group of users.  Maybe you have one user that is a member of this group that you would like to filter from receiving those group policy settings.  For instance a client was using a global group that had restricted settings for the desktop, control panel, registry etc.  However, there was one user they wanted to remain a member of this group however, not receive the custom group policy settings.  This is easily accomplished with the group policy management console settings and “filtering” GPO settings.  Microsoft allows for a very granular approach to group policy which allows us to pick and choose if we need which users receive or don’t receive policy settings.

Group Policy Management Console:

On a Windows 7 Enterprise workstation we have the RSAT tools loaded so the Group Policy Management Console is included there.  Simply launch the console under your administrative tools or type gpmc.msc into a run menu.

After you have launched the group policy management console you need to navigate to the “Group Policy Objects” container from within the management console:

gpfilter1

Click the policy you want to filter and notice on the right had side of the screen the tabs that become available to us for the particular policy: Scope, Details, Settings, Delegation

We want to choose the Delegation tab and then all the way on the bottom right hand corner, there is an Advanced… button.  Click the Advanced button.

gpfilter2

 

When we click the Advanced button, we get a Security dialog box that we are familiar with for assigning permssions.  Here however, we want to add the user we don’t want to receive the settings and check the following permisssions: Deny – Read, Deny – Apply group policy as shown below:

gpfilter3

 

Even if the user is a member of a group that receives the policy settings, the “deny” permissions trump the allow permissions, so it will effectively disregard the policy settings.

Final Thoughts

Group policy settings are are an effective way of restricting functionality for a user or group of users.  However, if we want a user to be a member of a certain group while at the same time, prevent the user from receiving policy settings applied to the rest of the group, we can use the method described above to filter the group policy object to apply a granular set of settings for a particular user.

 

Brandon LeeAugust 29, 2011Last Updated: January 11, 2021
2 minutes read

Subscribe to VirtualizationHowto via Email 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Photo of Brandon Lee

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com and has over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, Brandon has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© Copyright 2024, All Rights Reserved  |