Exclude users from GPO

Gelegation IN GPO

Sometimes you don’t want to implement group policy on all of added users in an organizational unit, you want some users from same OU will not effect from a GPO with which we are imposing restrict on other users.

For example we have an organization unit of 10 users and we want to restrict the 5 users of this OU from using gadgets on windows 7 using a group policy object, on the other hand we also don’t want to allow remaining users for using gadgets using a single GPO. I will show you that how you can perform the delegation in a GPO, for demonstration I am using two workstations: a domain controller w7cloud.com and a client computer PC2.w7cloud.com.

First I have created a group policy object (GPO-w7cloud) and turn off the desktop gadgets from Computer ConfigurationPolicies Administrative TemplatesWindows ComponentsDesktop Gadgets. And apply this group policy to an active directory organizational unit HR you can learn more about the applying GPO to an OU in windows server 2008.

turn off desktop gadgets using GPO

Now open the group policy object and from delegation tab add the users or security group for those you want to allow the desktop gadgets by click the advance button and add required the users and assign them the appropriate rights. In my case want to allow the desktop gadgets for hr2@w7cloud.com  so I have added this into delegation and assign him read rights and deny apply group policy rights.

Gelegation IN GPO

Now for testing login into client machine as I am trying  hr@w7cloud.com for which we have disable the desktop gadgets, when I try to open the gadgets it will show the following message which means it is working find for this user.

GPO restriction error

While when you will login with other user that we have added in delegation, it able to use the desktop gadgets.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *