Limiting software usage through GP delegation

To apply a group policy to just a few selected computers in an OU containing many other computers, you can use Group Policy delegation. There are a couple of ways of doing this: one involves Denying access to a group of computers and the other involves Allowing access to a group of computers. It really depends on your local OU structure and what you want to achieve as to which method you use.


First of all, create a security group of computers (call it something meaningful) and add the PCs that you *don’t* want to get the policy.

Run the Group Policy Management Console/Snapin, and browse to the group policy in question. Click/double-click it so that you see the tabs Scope, Settings, Detail and Delegation in the right-hand pane.

Click on the Delegation tab.

Click Advanced.

Click Add and enter the name of the group of computers. (If you just want to specify a single computer name, that’s okay, but you’ll need to click on Object types first and check the Computers box – groups are easier to maintain though).

Once you’ve added the computer/group of computers to the ACL, you’ll need to check the *DENY* on Apply Group Policy. In this example, I’ve denied rights to UCS Cluster Computers to apply the policy 3 Central 7-zip 4.42:


This is more or less the same procedure. Create a group of computers that you *do* want to get the policy. Click on Delegation… Advanced so that the Security box appears. Remove Authenticated users from the ACL, and add your group of computers. Ensure that Apply Group Policy is selected for this group. ISS use this method for securing the 5 Licensed software policies.

Now what?

Now when you apply the group policy to an OU, only the PCs that are in the allow/deny group will be allowed/denied access to the software.

If you’re using the old Group Policy management tool (the one that’s integrated into Users and Computers), you can make the same changes by just right-clicking the Group Policy, selecting Properties, and then the Security tab.

You can use this method to secure any Group Policy regardless of its purpose, the policy doesn’t necessarily need to be a software policy. For example you can limit application of a policy that adds users to a local machine admin group.

Something to note

To change delegation on a group policy, you must have rights to modify the policy security.

One thought on “Limiting software usage through GP delegation

  1. why not use Security Filtering in the scope tab of the policy in the GPM console? There, it’s easier to see where the policy is applied.


Leave a Reply

Your email address will not be published. Required fields are marked *