GPO deny not working for group

JustAnotherUser 36 Reputation points

We want to deny a group policy for a group of computers. If I add the computers individually to the delegation tab with deny read and deny apply, the group policy does not apply. If I add an AD group with these computers as members, the policy still applies.

Is there a way to deny a group of computers from applying a GPO or do I have to add each computer manually? Or maybe a better question is why does the deny work individually and not work at all for a group?

A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,707 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,802 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Thameur-BOURBITA 32,496 Reputation points

    Hi @JustAnotherUser

    Did you try clear kerberos ticket in the cache by restarting computer ?

    When you add or remove user or computer from a AD group , you should clear kerberos ticket in the cache to be taken in account.

    Please don't forget to mark helpful answer as accepted

    0 comments No comments