How to Move Computers in and out of a Group Policy 3

Post to Twitter Post to Facebook Post to StumbleUpon

This content has been updated since the original publication. You can find all of our updated protection techniques in our Ransomware Prevention Kit.

With the recent publication of our Cryptolocker Prevention Kit concerns have been raised over how to install software now that the computers are members of a Group Policy that most likely prevents it. Well it’s going to be an extra step in your process but a necessary one. It won’t take you much additional time. Here is how you go about moving the computer you’d like to deploy software to out of the policy that is preventing it.

Group Policy structures are mostly a mirror of your Active Directory structure with one notable exception – Containers aren’t included, only Organizational Units.  This is because Group Policy’s can’t be applied to Containers.

Our AD looks like this. The objects with the file inside the folder are the OU’s. The ones without them are the Containers. In our example the highlighted in yellow Computers is a Container and highlighted in blue SBSComputers is an OU.



And our GPO structure looks like this. Our GPO is applied to the SBSComputers OU.


If we need to install software to the computer that is blocked by this policy, then we simply move the computer that we are working on into the Computers container. We install and configure our software. Then we move it back. To move a computer just drag and drop it from the OU it is in into the Computer container. You’ll get the message below reminding you that this will prevent group policy’s from applying to that computer.


On the computer from an elevated command prompt run gpupdate /force to update the policies applied to the computer. Now you can proceed to install the software package. When you are done installing simply drag the computer from the Computers container back into the OU from where it came. You can run gupdate /force again on that computer to update the policies back onto the computer again.

It should take you much less than 5 minutes to perform this task. The benefits of Group Policy far outweigh the inconvenience of this procedure.

If you find this kind of material useful considering joining the SMBKitchen Project. You can find out more about us at

I can’t tell you how much time and money I’ve wasted on explaining my business to CPA’s. I recommend you don’t do that and instead hire Rayanne to Tech Your Books. She can solve problems and get your books setup so you can make money. She’s an MCSE and an Accounting professional. A rare combination that means she can Tech Your Books.

Leave a comment

Your email address will not be published. Required fields are marked *

This blog is kept spam free by WP-SpamFree.

3 thoughts on “How to Move Computers in and out of a Group Policy

  • Pingback: Cryptolocker Prevention Kit |

  • John Carnell

    Hello, I recently rolled out the CryptoPrevention Toolkit Group Policies onto a Windows 2008 Domain.

    We now have issues with users who access Autocad files in \users\public etc etc

    Is there a way we can remove the toolkit GPO from the domain to see if this resolves our issues?

    Simply moving the PC into another OU stops the GPO being applied but doesn’t remove the actual settings from it.

    Any help would be appreciated.

    John Carnell

    • Third Tier


      Moving the PC to another OU where you don’t have the policy applied will remove it from the PC. You will need to run gpupdate /force at the server and workstation for the change to take effect. Now, you should have issues with people that have files in users/public because those locations are not blocked by this policy. Only appdata and temp locations are blocked from running executable files.