{
	"id": "0aebd434-ca9c-418f-b0f0-b9b2c63971c6",
	"created_at": "2026-04-06T00:14:13.014208Z",
	"updated_at": "2026-04-10T13:12:33.40399Z",
	"deleted_at": null,
	"sha1_hash": "994fa217fc210f51aa6e4be5195fced47c64a02c",
	"title": "Filtering the Scope of a GPO",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 35706,
	"plain_text": "Filtering the Scope of a GPO\r\nBy REDMOND\\\\markl\r\nArchived: 2026-04-05 21:09:04 UTC\r\nBy default, a GPO affects all users and computers that are contained in the linked site, domain, or organizational\r\nunit. The administrator can further specify the computers and users that are affected by a GPO by using\r\nmembership in security groups.\r\nAn administrator can add both computers and users to security groups. Then the administrator can specify which\r\nsecurity groups are affected by the GPO by using the Access Control List (ACL) editor. To start the ACL editor,\r\nselect the Security tab of the property page for the GPO. Then set access permissions using discretionary access\r\ncontrol lists (DACLs) to allow or deny access to the GPO by specified groups. By changing the Access Control\r\nEntries (ACEs) within the DACL, the effect of any GPO can be modified to exclude or include the members of\r\nany security group. For more information about security groups, see How Security Groups are Used in Access\r\nControl.\r\nTo apply a GPO to a specific group, both the Read and Apply Group Policy ACEs are required. By default, all\r\nAuthenticated Users have both these permissions set to Allow. Because everyone in an organizational unit is\r\nautomatically an Authenticated User, the default behavior is for every GPO to apply to every Authenticated User.\r\nHowever, domain administrators, enterprise administrators, and the LocalSystem account already have full control\r\npermissions, by default, without the Apply Group Policy ACE. Therefore, because administrators are also\r\nAuthenticated Users, they too, by default, will receive the policy settings in the GPO. This may not be the\r\nappropriate scenario.\r\nThere are different methods administrators can use to prevent a GPO policy from applying to a specific group (for\r\nexample, to administrators). The recommended method is to remove (clear Allow) both the Read and Apply\r\nGroup Policy ACEs for the group. Another method involves removing the Apply Group Policy ACE for\r\nAuthenticated Users, and then explicitly granting the permission by checking Allow for the individual security\r\ngroups that should receive the policy settings. You can also set the Apply Group Policy ACE to Deny for groups\r\nof users that do not require the policy.\r\n[!Warning]\r\nA Deny ACE setting for any group takes precedence over any Allow ACE granted to a user or computer\r\nas a result of membership in another group.\r\nFor more information about ACLs, DACLs, and ACEs, see Access Control.\r\nIn addition, by default, every computer receives a local GPO that contains registry policy settings and security-specific policy settings. This is useful for computers that are not members of a domain.\r\nAdministrators can also use WMI Filters for exception management. WMI Filters allow an administrator to\r\nspecify a WMI-based query to filter the effect of a GPO. WMI Filters are written in WMI Query Language.\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/desktop/Policy/filtering-the-scope-of-a-gpo\r\nPage 1 of 2\n\nFor more information, see Applying Group Policy.\r\nSource: https://docs.microsoft.com/en-us/previous-versions/windows/desktop/Policy/filtering-the-scope-of-a-gpo\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/desktop/Policy/filtering-the-scope-of-a-gpo\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://docs.microsoft.com/en-us/previous-versions/windows/desktop/Policy/filtering-the-scope-of-a-gpo"
	],
	"report_names": [
		"filtering-the-scope-of-a-gpo"
	],
	"threat_actors": [],
	"ts_created_at": 1775434453,
	"ts_updated_at": 1775826753,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/994fa217fc210f51aa6e4be5195fced47c64a02c.pdf",
		"text": "https://archive.orkl.eu/994fa217fc210f51aa6e4be5195fced47c64a02c.txt",
		"img": "https://archive.orkl.eu/994fa217fc210f51aa6e4be5195fced47c64a02c.jpg"
	}
}