Active Directory - How to disable GPO for a specific admin group (not standard users)

Maverick128 31 Reputation points
2021-08-20T22:11:17.087+00:00

Hello,

After multiple searches, I unfortunately cannot find a solution to a problem with GPO's (Windows 2019 Server).

I created a GPO which activates the firewall (Computer Configuration), computers present in an OU (Dekstops). This one works perfectly to users. But I want to deactivate it for a specific admin group. To do this I applied in the delegation a "Deny" in "Apply group policy" (admins group).

Also, this group is a member of local Administrators (with another GPO, I used "Restricted Groups" to do that)

After performing several tests with a member of this admin group and executed some "gpupdate /force", the GPO still applied. Do you have a solution to bypass this GPO for my admin group ?

I also tried to apply the loopback on this GPO but still the same result ... Thank you for your help and advices.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,481 questions
Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,799 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,935 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andreas Baumgarten 97,731 Reputation points MVP
    2021-08-20T22:55:45.417+00:00

    Hi @Maverick128 ,

    have you tried the loopback processing for the GPO?
    https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/loopback-processing-of-group-policy

    ----------

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards
    Andreas Baumgarten

  2. Maverick128 31 Reputation points
    2021-08-20T23:33:22.043+00:00

    Hello @Andreas Baumgarten ,

    Thanks for the reply. Yes, I tried the "Group Policy loopback" with the both modes : Merge / Replace. Unfortunately, same result...

    Below the configuration :

    125175-image.png

    125108-image.png 125138-image.png

    125100-image.png

    0 comments
  3. Maverick128 31 Reputation points
    2021-08-25T16:47:49.62+00:00

    Anyone have a solution or an idea to resolve this problem ?

    Is it possible to bypass the "computer configuration" policies for a specific group ?

    Many thanks.

    Best,

    0 comments