Block GPO using Delegation Option in Windows

There are multiple ways to block GPO from applying to specific users or computers. While methods like item-level targeting, security filtering, or WMI filtering, can practically provide better control of the policy scope, administrator also needs to know that one can block GPO using delegation option in Windows. This is not the best way to create GPO exclusion, as the delegation option was actually intended to grant or deny someone to do something with the GPO. However, knowing this information could be helpful especially when troubleshooting GPO inheritance.

How to Block GPO using Delegation Option in Windows

In this scenario, a company has Domain Controller installed on Windows Server 2012 R2. A policy named “Global User Policy” is applied to Global Users OU that contains all employee user accounts.

Block GPO using Delegation Option in Windows - 1

An IT security requirement needs this policy to be applied for all employees, except the temporary ones. All temporary employees has been added to a security group named “TEMP_EMPLOYEES” and this can be used as the identifier. The step-by-step to block GPO using Delegation option in Windows is shown below:

1. Open the policy delegation option

In Group Policy Management console, select the policy name on the left pane. On the right pane, click on Delegation tab to see the current configuration.

Block GPO using Delegation Option in Windows - 2

2. Adding security groups

On the Delegation window, click Add button at the bottom left.

Block GPO using Delegation Option in Windows - 3

A pop-up will appear, type the security group name and click on Check Names button to verify. Click OK afterwards.

Block GPO using Delegation Option in Windows - 4

Another pop-up will appear, confirm the group name is correct and leave the default Read permission as it is (we’ll modify it later) then click OK to confirm.

Block GPO using Delegation Option in Windows - 5

Notice that the security group now has been added to the Delegation list with Read permission.

Block GPO using Delegation Option in Windows - 6

3. Modify the permission

Still on Delegation window, click on Advanced button at the bottom right.

Block GPO using Delegation Option in Windows - 7

On the pop-up window that appears, scroll down the group list and highlight the security group name that we want to exclude, then scroll down the permission list and tick on Deny box for the “Apply group policy” option.

Block GPO using Delegation Option in Windows - 8

Click OK to confirm, answer Yes to the warning message that appears.

Block GPO using Delegation Option in Windows - 9

Warning: be careful to not set Deny for the “Read” permission for administrator account to avoid any policy from being inaccessible.

Notice on the console that the group is now having Custom permission.

Block GPO using Delegation Option in Windows - 12

4. Verify the result

After issuing gpupdate /force on users, use gpresult /r command to see the policy that applied to users. On user account that is a member of the TEMP_EMPLOYEES group you will see that the Global User Policy is being denied

Block GPO using Delegation Option in Windows - 10

On the other hand, the policy will still be applied normally for other users that are not the member of the group.

Block GPO using Delegation Option in Windows - 11

With this way we have successfully exclude the temporary employees from receiving the Global User Policy.

Conclusions

The Delegation option can be used to block GPO from applying to a specific target. Remember that the deny permission is taking precedence over the allow permission. Knowing this, administrator can always check the Delegation tab on the policy object when troubleshooting GPO problem. Often this way is implemented on policy objects that are migrated from older Domain Controller and may cause issue with the policy scope.

Using the policy Delegation option can be the alternative way to control GPO scope. However, it is more recommended to use other methods before decide to block GPO using Delegation option in Windows.

The following two tabs change content below.
Arranda Saputra

Arranda Saputra

ITIL Certified, CCNA, CCDA, VCP6-DCV, MCSA Administering Windows Server 2012
I am IT practitioner in real life with specialization in network and server infrastructure. I have years of experience in design, analysis, operation, and optimization of infrastructure solutions for enterprise-scaled network. You can send me a message on LinkedIn or email to arranda.saputra@outlook.com for further inquiry regarding stuffs that I wrote or opportunity to collaborate in a project.
scroll to top