Skip to main content

Group Policy Security Filtering

An administrator can add both computers and users to security groups. Then the administrator can specify which security groups are affected by the GPO by using the Access Control List (ACL) editor. To start the ACL editor, select the Security tab of the property page for the GPO. Then set access permissions using discretionary access control lists (DACLs) to allow or deny access to the GPO by specified groups. By changing the Access Control Entries (ACEs) within the DACL, the effect of any GPO can be modified to exclude or include the members of any security group. For more information about security groups, see How Security Groups are Used in Access Control.

To apply a GPO to a specific group, both the Read and Apply Group Policy ACEs are required. By default, all Authenticated Users have both these permissions set to Allow. Because everyone in an organizational unit is automatically an Authenticated User, the default behavior is for every GPO to apply to every Authenticated User. However, domain administrators, enterprise administrators, and the LocalSystem account already have full control permissions, by default, without the Apply Group Policy ACE. Therefore, because administrators are also Authenticated Users, they too, by default, will receive the policy settings in the GPO. This may not be the appropriate scenario.

There are different methods administrators can use to prevent a GPO policy from applying to a specific group (for example, to administrators). The recommended method is to remove (clear Allow) both the Read and Apply Group Policy ACEs for the group. Another method involves removing the Apply Group Policy ACE for Authenticated Users, and then explicitly granting the permission by checking Allow for the individual security groups that should receive the policy settings. You can also set the Apply Group Policy ACE to Deny for groups of users that do not require the policy.

Warning: A Deny ACE setting for any group takes precedence over any Allow ACE granted to a user or computer as a result of membership in another group. For more information about ACLs, DACLs, and ACEs, see Access Control.

The ACLs associated with a GPO control Security Filtering for that GPO. These ACLs contain a series of ACEs for different security principals (user accounts, computer accounts, security groups and built-in special identities). Here’s how to view the default ACL on a GPO:

  1. Open the Group Policy Management Console (GPMC).
  2. Expand the console tree until you see the Group Policy Objects node.
  3. Select a particular GPO under the Group Policy Objects node.
  4. Select the Delegation tab in the right-hand pane.

If you want to get even more detailed, click on the Advanced button. Clicking on the Advanced button will allow you to view the Apply Group Policy permission that was missing from the Delegation tab. The Delegation tab of a GPO only displays ACEs for security principals that actually process the GPO, which means those secuirty principals have the Apply Group Policy permission set to Allow. If you want a GPO to be processed by a security principal in a container linked to the GPO, there’s a minimum requirement for permissions. Your chosen security principal must have the following permissions to the GPO:

  • Allow Read
  • Allow Apply Group Policy

So how do you filter a GPO to a particular group, user or computer? Well the first thing you want to do is restrict who can apply that GPO. If you navigate to that Delegation tab, you’ll notice that by default Authenticated Users has Allow permission to both Read and Apply group policy permissions.

  1. Click the Advanced button.
  2. Click on Authenticated Users in the Group or user names list.
  3. Scroll down in the Permissions list until you find Apply group policy, and uncheck the Allow box.

Now we need to add the object that you want the GPO to apply to.

  1. Click the Add button.
  2. Enter the object name(s) that you want the group policy to apply to, and click the OK button.
  3. Click on the object(s) that you want to the GPO to apply to in the Group or user names list.
  4. Scroll down in the Permissions list until you find Read, and uncheck the Allow box.
  5. Scroll down in the Permissions list until you find Apply group policy, and uncheck the Allow box.
  6. Click the OK button.

Now when you link that GPO, the GPO will filter and not apply to objects that do not match the criteria you set.

  • Recent Posts
Infrastructure Architect , Topgolf

Scott is an experienced professional and recognized leader specializing in the design and implementation of enterprise virtualization, enterprise storage, server infrastructures and operations. A self-starter able to work both independently and in a team-oriented environment, Scott has a proven ability to create and automate solutions to improve productivity, reliability and performance. Throughout his professional career, Scott has proven successes implementing technology and service improvement initiatives and has a demonstrated ability to think strategically about business, create technical definition around objectives in complex situations, develop solution strategies, motivate and mobilize resources, and deliver end-to-end technology solutions. Scott has achieved multiple industry recognized certifications in virtualization, networking, cloud, storage, converged infrastructure, hyperconverged infrastructure and other technologies, and is honored to be a VMware vExpert in 2018-2021, and vExpert EUC 2020.




VMware vExpert 2018
VMware vExpert 2019
VMware vExpert 2020
VMware vExpert 2021
VMware vExpert EUC 2020-2021

Double VCP – Data Center Virtualization & Desktop Mobility
Double VCP – Data Center Virtualization & Cloud Management
Double VCP – Data Center Virtualization & Network Virtualization
Double VCP – Network Virtualization & Desktop Mobility
Double VCP – Network Virtualization & Cloud Management
Double VCP – Cloud Management & Desktop Mobility


VMware Certified Associate – Digital Business Transformation 2020
VMware Certified Professional – Desktop and Mobility 2020
VMware Certified Professional – Data Center Virtualization 2020
VMware Certified Professional 6 – Desktop and Mobility
VMware Certified Professional 6 – Cloud Management and Automation
VMware Certified Professional 6 – Network Virtualization
VMware Certified Professional 6 – Data Center Virtualization
VMware vSphere 6 Foundations
Dell Technologies Cloud Platform Administrator 2020
Dell Technologies Virtual Desktop Infrastructure 2019
Dell Technologies Specialist – Infrastructure Security Version 1.0
Dell Technologies Specialist – Systems Administrator, VxRail Appliance Version 1.0
Dell Technologies Associate – Converged Systems and Hybrid Cloud Version 2.0
Dell Technologies and VMware Co-Skilled Associate – Converged Systems and Hybrid Cloud
IBM Enterprise Design Thinking Practitioner
IBM Enterprise Design Thinking Co-Creator
SolarWinds Certified Professional
Zerto Certified Professional: Enterprise Engineer 8.0
Zerto Certified Asociate: Foundations 8.0
Zerto Certified Professional: Basic 6.0
Zerto Certified Professional: Basic 5.0







Spread the love!