You can set security filtering on users and groups to mask or lock the GPOs in the GP repository. When you set this level of security, the GPA Console no longer allows the users or groups to see or edit the targeted GPOs.
You must have the “GPO Security Filtering” privilege to mask or lock a GPO.
You cannot mask or lock GPOs from your own user account or GPOs from the GPA Repository Management Group Users group.
You can set two types of security filters from the GPA Console:
You can mask the GPO to hide it from the selected user or group.
You can lock the GPO to prevent the selected user or group from editing it.
HINT:You can filter a single GPO or you can filter all or some of the GPOs contained in a domain or category.
To filter a GPO:
Log on to a GPA Console computer with an account with the GPO Security Filtering role to filter GPOs.
Start the GPA Console in the Group Policy Administrator program group.
In the left pane, expand GP Repository to the domain, category, or GPO level, depending on your intent, and right-click the object to which you want to apply the filter.
Select GPO Security Filtering.
Browse to and select the GPOs to be masked or locked.
Browse to and select the users or groups to be prevented from viewing or editing the GPOs selected in step 5.
Set the Filter to the appropriate type and click Add.
Click OK.
To remove a security filter from a GPO:
Log on to a GPA Console computer with an account with the GPO Security Filtering role to filter GPOs.
Start the GPA Console in the Group Policy Administrator program group.
In the left pane, expand GP Repository to the domain, category, or GPO level, depending on your intent, and right-click the filtered object.
Select GPO Security Filtering.
Locate the filtered object in the GPOs Security Filter table and select its check box.
HINT:If you want to unfilter all of the GPOs displayed in the table, select the check box at the top of the column.
Click Remove and then click OK.