How to Configure Windows Server 2019 Group Policy Security Filtering

Group Policy Security Filtering controls which users and computers a GPO applies to within a linked OU, domain, or site. By default, all GPOs apply to the Authenticated Users group, which includes all domain users and computers. Security Filtering lets you scope GPO application to specific security groups, individual users, or specific computers — providing fine-grained policy control without requiring complex OU structures. This guide covers configuring Security Filtering, combining it with WMI filters, and understanding Deny permissions for exclusions.

Understanding Security Filtering vs. WMI Filtering

Security Filtering controls who the GPO applies to based on group membership and ACL permissions. WMI Filtering controls whether the GPO applies based on the state of the computer (e.g., OS version, hardware). They work together: a GPO with a Security Filter will only apply to users/computers in the specified group AND (if a WMI filter is attached) only when the WMI query returns true. Security Filtering is evaluated using two permissions on the GPO’s ACL: Read and Apply Group Policy. Both must be allowed for the GPO to apply.

Viewing and Modifying Security Filtering in GPMC

In the Group Policy Management Console, select a GPO and click the Scope tab. The Security Filtering section shows which principals the GPO applies to. By default, Authenticated Users is listed. To restrict the GPO to a specific group, remove Authenticated Users and add the target group.

Important: Removing Authenticated Users also removes the default Read permission from all domain computers. When you add a security group to the Security Filtering section, ensure the group has both Read and Apply Group Policy permissions. Always also grant Read permission to Domain Computers (without Apply Group Policy) to allow DCs to read the GPO object.

Configuring Security Filtering with PowerShell

Use the GroupPolicy PowerShell module to manage Security Filtering programmatically. Remove Authenticated Users from a GPO’s Security Filter:

Set-GPPermission `
    -Name "Finance Password Policy" `
    -TargetName "Authenticated Users" `
    -TargetType Group `
    -PermissionLevel None `
    -Confirm:$false

Add the Finance-Staff group with Apply Group Policy permission:

Set-GPPermission `
    -Name "Finance Password Policy" `
    -TargetName "Finance-Staff" `
    -TargetType Group `
    -PermissionLevel GpoApply

Grant Read permission to Domain Computers so DCs can process the GPO namespace (important when Authenticated Users is removed):

Set-GPPermission `
    -Name "Finance Password Policy" `
    -TargetName "Domain Computers" `
    -TargetType Group `
    -PermissionLevel GpoRead

Verify the final permissions on the GPO:

Get-GPPermission -Name "Finance Password Policy" -All |
    Select TrusteeName, TrusteeType, Permission, Denied |
    Format-Table

Using Deny Permissions for GPO Exclusions

Deny the Apply Group Policy permission on a GPO to explicitly exclude a group from receiving the policy. This is useful when a GPO applies to a broad scope but you need to exempt specific groups. Apply a Deny permission to exclude the IT-Admins group:

Set-GPPermission `
    -Name "Workstation Lockdown Policy" `
    -TargetName "IT-Admins" `
    -TargetType Group `
    -PermissionLevel GpoApply `
    -Confirm:$false

# The above adds the group; now set Deny via the AD ACL directly
$gpo = Get-GPO -Name "Workstation Lockdown Policy"
$gpoPath = "AD:CN={$($gpo.Id)},CN=Policies,CN=System,DC=contoso,DC=local"

$acl = Get-Acl -Path $gpoPath
$group = New-Object System.Security.Principal.NTAccount("CONTOSOIT-Admins")
$rights = [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight
$type = [System.Security.AccessControl.AccessControlType]::Deny
$guidApplyGP = New-Object Guid("edacfd8f-ffb3-11d1-b41d-00a0c968f939")
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($group, $rights, $type, $guidApplyGP)
$acl.AddAccessRule($ace)
Set-Acl -Path $gpoPath -AclObject $acl

Filtering GPOs with Multiple Group Conditions

A single GPO can only have one Security Filter — a list of groups that all have Apply Group Policy permission. To implement AND logic (apply only to members of both GroupA AND GroupB), use a WMI filter combined with a security group filter. To implement OR logic, add both groups to the Security Filter section:

# Add multiple groups to the Security Filter (OR logic - applies to members of either group)
$gpoName = "Remote Workers Policy"
$groups = @("Remote-Workers", "VPN-Users", "Mobile-Staff")

# Remove default Authenticated Users
Set-GPPermission -Name $gpoName -TargetName "Authenticated Users" -TargetType Group -PermissionLevel None -Confirm:$false

foreach ($group in $groups) {
    Set-GPPermission -Name $gpoName -TargetName $group -TargetType Group -PermissionLevel GpoApply
    Write-Output "Added $group to Security Filter"
}

# Maintain read for Domain Computers
Set-GPPermission -Name $gpoName -TargetName "Domain Computers" -TargetType Group -PermissionLevel GpoRead

Auditing Security Filtering Across All GPOs

Report on the current Security Filter configuration for all GPOs in the domain:

$allGPOs = Get-GPO -All
$filterReport = @()

foreach ($gpo in $allGPOs) {
    $permissions = Get-GPPermission -Guid $gpo.Id -All
    foreach ($perm in $permissions) {
        $filterReport += [PSCustomObject]@{
            GPOName = $gpo.DisplayName
            TrusteeName = $perm.TrusteeName
            TrusteeType = $perm.TrusteeType
            Permission = $perm.Permission
            Denied = $perm.Denied
        }
    }
}

$filterReport | Where-Object {$_.Permission -eq "GpoApply"} |
    Export-Csv "C:GPOReportsSecurityFilters_$(Get-Date -Format yyyyMMdd).csv" -NoTypeInformation

Loopback Processing and Security Filtering

Loopback processing applies User Configuration settings from computer-linked GPOs. When combined with Security Filtering, this allows you to control the desktop environment based on which computer a user logs onto. Enable Loopback in a GPO:

# Via GPMC: Computer Configuration > Policies > Administrative Templates >
# System > Group Policy > Configure user Group Policy loopback processing mode
# Set to Enabled, Mode: Replace or Merge

# Verify via PowerShell:
Get-GPRegistryValue -Name "Terminal Server Policy" `
    -Key "HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem" `
    -ValueName UserPolicyMode -ErrorAction SilentlyContinue

Security Filtering on Windows Server 2019 is a powerful mechanism for tailoring GPO application to specific populations without building complex OU hierarchies. Always document your security filter design — which groups should receive which GPOs, and which groups are excluded and why. Unexpected GPO application is frequently caused by residual Authenticated Users permissions on GPOs intended for specific groups only.