There are multiple ways to block GPO from applying to specific users or computers. While methods like item-level targeting, security filtering, or WMI filtering, can practically provide better control of the policy scope, administrator also needs to know that one can block GPO using delegation option in Windows. This is not the best way to create GPO exclusion, as the delegation option was actually intended to grant or deny someone to do something with the GPO. However, knowing this information could be helpful especially when troubleshooting GPO inheritance.
How to Block GPO using Delegation Option in Windows
In this scenario, a company has Domain Controller installed on Windows Server 2012 R2. A policy named “Global User Policy” is applied to Global Users OU that contains all employee user accounts.
An IT security requirement needs this policy to be applied for all employees, except the temporary ones. All temporary employees has been added to a security group named “TEMP_EMPLOYEES” and this can be used as the identifier. The step-by-step to block GPO using Delegation option in Windows is shown below:
1. Open the policy delegation option
In Group Policy Management console, select the policy name on the left pane. On the right pane, click on Delegation tab to see the current configuration.
2. Adding security groups
On the Delegation window, click Add button at the bottom left.
A pop-up will appear, type the security group name and click on Check Names button to verify. Click OK afterwards.
Another pop-up will appear, confirm the group name is correct and leave the default Read permission as it is (we’ll modify it later) then click OK to confirm.
Notice that the security group now has been added to the Delegation list with Read permission.
3. Modify the permission
Still on Delegation window, click on Advanced button at the bottom right.
On the pop-up window that appears, scroll down the group list and highlight the security group name that we want to exclude, then scroll down the permission list and tick on Deny box for the “Apply group policy” option.
Click OK to confirm, answer Yes to the warning message that appears.
Warning: be careful to not set Deny for the “Read” permission for administrator account to avoid any policy from being inaccessible.
Notice on the console that the group is now having Custom permission.
4. Verify the result
After issuing gpupdate /force on users, use gpresult /r command to see the policy that applied to users. On user account that is a member of the TEMP_EMPLOYEES group you will see that the Global User Policy is being denied
On the other hand, the policy will still be applied normally for other users that are not the member of the group.
With this way we have successfully exclude the temporary employees from receiving the Global User Policy.
The Delegation option can be used to block GPO from applying to a specific target. Remember that the deny permission is taking precedence over the allow permission. Knowing this, administrator can always check the Delegation tab on the policy object when troubleshooting GPO problem. Often this way is implemented on policy objects that are migrated from older Domain Controller and may cause issue with the policy scope.
Using the policy Delegation option can be the alternative way to control GPO scope. However, it is more recommended to use other methods before decide to block GPO using Delegation option in Windows.