Danny Moran

How to use Group Policy Security Filtering

Published December 09, 2023 by Danny Moran

Table of Contents


Learn how to use security filtering to limit the scope of group policy objects to users or computers that are members of an active directory security group. In this example, I show you how to change the security filtering options of a group policy object from authenticated users to a security group so that the specified group policy only gets applied to the members of the security group.



  1. Open Active Directory Users and Computers.

    Note: You can run dsa.msc to open the management console.

  2. Create a Active Directory Security Group. Members of this group will get the GPO applied to them.

    Note: Give the security group a descriptive name and description so it is clear what the security group does. I recommend a name such as gpo-apply-gponame.

  3. Open the Group Policy Management Console.

    Note: You can run gpmc.msc to open the management console.

  4. Navigate to Group Policy Objects and select the GPO that you want to apply security filtering to.

  5. Under Security Filtering, select Authenticated Users and press Remove.

  6. Select OK to remove the delegation privilege.

  7. Select OK on the Group Policy Management warning.

    Note: This warning can be ignored as the next steps will correct this so the GPO will be applied correctly.

  8. Select the Delegation tab at the top of the GPO.

  9. Select Add at the bottom of the page and enter Authenticated Users into the search box and select Check Names and then OK

  10. In the Add Group or User popup, it should say Authenticated Users with Read permissions. Press OK.

    Note: The past 3 steps have Authenticated Users read only access to the GPO, but not permission to apply the GPO.

  11. Select the Scope tab at the top of the GPO.

  12. Under Security Filtering, select Add.

  13. Enter the name of the security group you created and press Check Names and then OK.

  14. The GPO scope has now been reduced from authenticated users to just the members of the security group.

    Note: You still need to link the GPO to the correct organisational units, however, the GPO will only get applied to members of the security group.