I have looked for this for a LONG time, and I was happy to run across this great post. I will not steal, so you can find it below, where he does an excellent job describing it. But in case something happens to it, the jist is to use delegation to set a ‘deny GPO’ permission, with the one trick, make sure you leave read turned on, so you can edit it later. Hats off dear sir;
https://blog.brankovucinec.com/2015/07/17/how-to-exclude-a-group-policy-object-gpo-to-users-or-a-security-group/