Exclude GPO for some domain hosts under the same OU?

jim 0 Reputation points

Excuse me, I'm currently trying to solve a GPO-assigning task in an AD domain which is utilizing windows server 2019.

I'm new to the microsoft AD domain but will try to avoid asking stupid question.

The task is to apply GPO to domain hosts which are inside an OU and having no negative impact on production environment is the primary objective.

Therefore, I decided to have the GPO be applied one host by one host to make sure the situation can be controlled.

(The GPO included hundreds of settings and is difficult to examine each one. It's okay I'll solve the problem of complexity of the settings.)

Since the domain hosts are located in an OU, I'm thinking about how to apply the GPO to a host first and then the rest in a simple and effiecient way that does not make the management of GPO/OU more difficult.

Considering all the options and seraching other questions such as this one and this, I noticed that the "security filtering" will solve it, and creating 1 OU for 1 host could also be a solution.

Can anyone give me some suggestions which method would be the best for such situation? (apply a GPO to one host at a time, which the hosts are all under an OU)

And maybe the critical steps that I should be aware of?

thx in advance.

A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,947 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Daisy Zhou 20,461 Reputation points Microsoft Vendor

    Hello jim,

    Thank you for posting in our Q&A forum.

    Here are my suggestions for your references:
    Way 1
    If you are trying to do some tests, you can do as below:
    1.Create on new OU.
    2.Move this one host to this new OU.
    3.Link this GPO with hundreds of settings to this OU.
    4.Run gpupdate / force on this host or restart this host to refresh the GPO setting.
    5.Check the GPO application is fine.
    If it is OK, you can remove this host to the original OU and link this GPO to the original OU.

    Way 2
    If you only want to this this GPO with hundreds of settings to one host in the OU (this host can not be moved to other OU).
    You can set Security filtering on this GPO.
    Do not remove "Authenticated users", make Authenticated users have "Read" permission.

    Add computer group. make computer group have "Read" and "Apply group policy" permissions.

    Hope the information above is helpful. If you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou


    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments