Can you apply user group policy to be valid only on a server but not workstations?

**Is there a way to apply user group policy selectively, based on a device?** - Yes, using loopback policy processing.

You should also be able to create a group in AD named "Servers xyz" or something to that affect, then add the computer AD object to the group. Use the GPO advanced security, remove 'authenticated users' and replace it with 'domain users' since the computer object (e.g. `SERVER01$` ) is a member of 'Authenticated Users' but not 'Domain Users' but your AD user accounts are a member of 'Domain Users'. Then you use the GPO advanced security 'Delegation' and grant DENY to all for the new AD group containing servers you created (e.g. `Servers xyz`).

Once you set those things up, be sure to run `repadmin syncall /AdeP` from one of your domain controllers, then run `gpupdate /force` on the server, and then reboot the server. Now log into the server and confirm it does not apply to the servers. Or if I said that all backward, set up AD group for `Computers xyz` and add them to the group, and do all those things I mentioned for that group to the correlated GPO. Should work just fine, I've done similar things in the past using security filtering with explicit DENY so it cannot apply GPO since both computer and user needs access for user policy

I sit in a Tesla and translated this thread with Ai: