So far, we have learned that the Security Filtering section is all about granting access to GPOs, but what if you want to flip things around? What if you have a GPO that is linked to a particular location, and you want everyone in that location to receive the GPO settings, except for just a handful of people? The Security Filtering section does not have any accommodation for such a request (to deny specific users, computers, or groups), but there is a way to do it. We will make use of the advanced Delegation properties that we viewed in the previous section of this chapter.
The newly created GPO for Lock down Control Panel is a good example. This policy is linked at the domain level and is currently security filtered to Authenticated Users, so at this point in time as soon as I add settings to this GPO, it will start applying to every computer and user in the entire domain. That is almost what I want to do, except that I certainly don't want to lock myself out of using the Control Panel, so I want to create an exclusion to this policy to prevent my own user account from receiving these settings.
We will leave the Security Filtering section alone so that the majority of everyone continues to receive these settings, by continuing to have Authenticated Users listed there. Then, inside the Delegation tab of the GPO, I will click on the Advanced... button. Now we are viewing the permissions associated with this GPO, and I am going to use the Add... button to add in a new group that I just created called IT Gurus. Once added, IT Gurus will automatically have Read access to the GPO, and that is fine—no need to modify that setting. What we do want to modify is the Apply group policy permission setting, by checking the box called Deny:
Deny permissions trump Allow permissions, so in this configuration everyone will receive these Control Panel lockdown settings, except for any users who are added to the IT Gurus group. This GPO will pass over those user accounts, and they will continue to be able to use the Control Panel on the machines they are logging in to.
While this is a very powerful way of manipulating GPO permissions, it is also a dangerous one. The fact that you create Deny permissions here does not show up anywhere else inside GPMC. Namely, the Security Filtering section does not in any way express these changes; it will continue to show you that Authenticated Users should be receiving this policy, and you would have no idea when looking at the Scope tab that there were any further permissions in place. So this is a choice you will have to make whenever setting Deny permissions—is it worth the potential trouble in the future? What if you forget about these Deny capabilities? Are you going to check the Delegation | Advanced settings every single time that you work with a GPO? What if you transition to another role in the company and some other administrator needs to fill your shoes? How likely is it that they will know how to utilize Deny permissions to create exclusions for GPO application? These are all good questions to consider before making this a regular practice in your environment.