GPO – Deny single user/Group
1. First you need to find the GPO Guid
To Find the group Guide Connect to a dc server and open Active Directory PowerShell
get-gpo -all |select-object DisplayName,id |sort name >c:\gpo.txt
2. Find in Active directory the GPO with ldap search
That guid is an attribute on an object in Active Directory, so you can query for it:
3.Right Click On the Guid – Properties -security
5.Add the user/group
6.Deny on – Apply Group Policy
GPO – Delegate permissions to non-Administrative Users
In Active Directory, administrators are automatically granted permissions for performing different Group Policy management tasks.
Other individuals can be granted such permissions through delegation:
To grant GPO creation permission to a user or group, follow these steps:
- In GPMC – Select the Group Policy Objects node.
- In the right pane, select the Delegation tab. The current GPO creation permissions for individual users and groups are listed.
- To grant the GPO creation permission to another user or group, click Add.
- In the Select User, Computer, Or Group dialog box, select the user or group you want to grant