JSI Tip 6420. More about filtering the scope of a GPO.

In tip 4231, I briefly described how to filter the scope of a Group Policy Object (GPO).

NOTE: See tip 2492 for filtering the scope of a local GPO.

For a better explanation, see MSDN article Filtering the Scope of a GPO, which contains:

Filtering the Scope of a GPO

By default, a GPO affects all users and computers that are contained in the linked site, domain, or organizational unit. The administrator can further specify the computers and users that are affected by a GPO by using membership in security groups.

Starting with Windows 2000, the administrator can add both computers and users to security groups. Then the administrator can specify which security groups are affected by the GPO by using the Access Control List (ACL) editor. To start the ACL editor, select the Security tab of the property page for the GPO. Then set access permissions using discretionary access control lists (DACLs) to allow or deny access to the GPO by specified groups. By changing the Access Control Entries (ACEs) within the DACL, the effect of any GPO can be modified to exclude or include the members of any security group. For more information about security groups, see How Security Groups are Used in Access Control.

To apply a GPO to a specific group, both the Read and Allow Group Policy ACEs are required. By default, all Authenticated Users have both these permissions set to Allow. Since everyone in an organizational unit is automatically an Authenticated User, the default behavior is for every GPO to apply to every Authenticated User. However, domain administrators, enterprise administrators, and the LocalSystem account already have full control permissions, by default, without the Apply Group Policy ACE. Therefore, since administrators are also Authenticated Users, they too, by default, will receive the policy settings in the GPO. This may not be the appropriate scenario.

There are different methods administrators can use to prevent a GPO policy from applying to a specific group (for example, to administrators). The easiest method is to remove (uncheck Allow) both the Read and Allow Group Policy ACEs for the group. Another method involves removing the Apply Group Policy ACE for Authenticated Users, and then explicitly granting the permission by checking Allow for the individual security groups that should receive the policy settings. You can also set the Apply Group Policy ACE to Deny for groups of users that do not require the policy.

Warning  Use the Deny ACE with caution. A Deny ACE setting for any group has precedence over any Allow ACE granted to a user or computer as a result of membership in another group. For more information about ACLs, DACLs and ACEs, see Access Control.

In addition, by default, every computer receives a local GPO that contains registry policy settings and security-specific policy settings. This is useful for computers that are not members of a domain.

Administrators can also use WMI Filters for exception management. WMI Filters allow administrators to specify a WMI-based query to filter the effect of a GPO. WMI Filters are written in WMI Query Language (WMQ).

For more information, see Applying Group Policy.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.