How to Configure Security Group Filters for GPOs in Windows 11/10

Group Policy is an important tool that allows network administrators responsible for Microsoft Active Directory to implement specific configurations for users and computers. It is a tool that can apply security settings to users and computers. This is very handy if you want to manage user permissions. This post will tell you how you can configure security group filters in Windows.

Security group filters in GPOs

How to configure security group filters for GPOs in Windows?

There are two main things you can do when configuring Group Policy filtering. These are:

  • Allow group members to apply GPOs
  • Prevent group members from applying GPOs

Now let us walk you through the steps to allow or prevent groups from applying GPOs.

note: It works with computers or users that are joined to a domain or Windows Server. Also, the Group Policy Management Tool is different from the Group Policy Editor.

1]Allow group members to apply GPOs

All users or groups to modify a GPO

The first method is to allow a group of members to apply a security filter to a GPO. If you want to allow other users to make changes to the GPO, you need to do the following:

  • First, launch the Group Policy Management Console. Or you can use any other server management tool.
  • In the navigation menu, find and click the GPO you want to modify.
  • Next, under Security Filtering, click Authenticated Users and click Remove. You need to remove the default permission granted to all authenticated users to restrict the GPO to only the groups you specify.
  • Click on Add.
  • Next, select the User, Computer, or Group dialog box.
  • Type the following name of the group whose members should apply the GPO and click OK.
  • Alternatively, you can click More to view a list of groups available in the domain.

2]Prevent group members from applying GPOs

In addition to allowing a group to apply security filters to a GPO, you must also prevent members from applying the GPO. And this can be done by following these steps:

  • First, launch the Group Policy Management Console.
  • Find and click the GPO you want to modify in the navigation pane.
  • Then, in the details pane, click the Delegation tab.
  • Click on More.
  • In the list of group or user names, click Add.
  • Next, select the User, Computer, or Group dialog box.
  • Now enter the name of the group whose members you want to prevent from applying the GPO and click OK.
  • You can also click More to view a list of groups available in the domain.
  • After that, select a group in the list of group or user names and select the check box in the “Prohibit” column for the “Read” and “Apply” group policies.
  • Finally, click OK > Yes.

That’s it for how to configure Group Policy security filtering in Windows. Using the Group Policy Management Console, you can easily allow or deny users, computers, or groups to apply GPOs. Now check it out for yourself. If you get stuck anywhere, feel free to comment below.

What is GPO delegation?

A Group Policy Object (GPO) is a set of settings that control the appearance and behavior of a system for a specified group of users. Delegate control of GPOs in Active Directory allows you to give end users permission to perform specific Group Policy tasks that are normally handled by administrators.

Do you need authenticated users for GPOs?

It’s always good to have authenticated users in any GPO, but you can always refine it as needed. Just be careful with GPOs and check them carefully. it’s a good idea to prefer to create GPOs using PowerShell scripts so that the administrator can save them in case they need to recreate them later.