GPO – Deny single user/Group

1. First you need to find the GPO Guid

To Find the group Guide Connect to a dc server and open Active Directory PowerShell

get-gpo -all |select-object DisplayName,id |sort name >c:\gpo.txt



2. Find in Active directory the GPO with ldap search

That guid is an attribute on an object in Active Directory, so you can query for it:



3.Right Click On the Guid – Properties -security


5.Add the user/group

6.Deny on – Apply Group Policy




GPO –  Delegate permissions to non-Administrative Users

In Active Directory, administrators are automatically granted permissions for performing different Group Policy management tasks.

Other individuals can be granted such permissions through delegation:

To grant GPO creation permission to a user or group, follow these steps:

  1. In GPMC – Select the Group Policy Objects node.
  2. In the right pane, select the Delegation tab. The current GPO creation permissions for individual users and groups are listed.
  3. To grant the GPO creation permission to another user or group, click Add.
  4. In the Select User, Computer, Or Group dialog box, select the user or group you want to grant