diff --git a/modules/agentless-scanning/locals.tf b/modules/agentless-scanning/locals.tf
index af52356..32cec9d 100644
--- a/modules/agentless-scanning/locals.tf
+++ b/modules/agentless-scanning/locals.tf
@@ -119,6 +119,9 @@ locals {
 
   # final targets to deploy organizational resources in
   deployment_targets_ous = lookup(local.deployment_options, local.org_configuration, local.deployment_options.default)
+
+  // check if root is part of the excluded_ouids
+  isRootExcluded = length(local.root_org_unit) > 0 ? contains(var.exclude_ouids, local.root_org_unit[0]) : false
 }
 
 #-----------------------------------------------------------------
@@ -127,7 +130,7 @@ locals {
 
 # if only exclude_ouids are provided and as long as it isn't Root OU, fetch all their child accounts to filter exclusions
 data "aws_organizations_organizational_unit_descendant_accounts" "ou_accounts_to_exclude" {
-  for_each  = local.org_configuration == "excluded_ous_only" && !contains(var.exclude_ouids, local.root_org_unit[0]) ? var.exclude_ouids : []
+  for_each  = local.org_configuration == "excluded_ous_only" && !local.isRootExcluded ? var.exclude_ouids : []
   parent_id = each.key
 }
 
diff --git a/modules/config-posture/locals.tf b/modules/config-posture/locals.tf
index af52356..e0e1527 100644
--- a/modules/config-posture/locals.tf
+++ b/modules/config-posture/locals.tf
@@ -119,6 +119,8 @@ locals {
 
   # final targets to deploy organizational resources in
   deployment_targets_ous = lookup(local.deployment_options, local.org_configuration, local.deployment_options.default)
+  
+  exclude_root_ou = length(local.root_org_unit) > 0 ? contains(var.exclude_ouids, local.root_org_unit[0]) : false
 }
 
 #-----------------------------------------------------------------
@@ -127,10 +129,9 @@ locals {
 
 # if only exclude_ouids are provided and as long as it isn't Root OU, fetch all their child accounts to filter exclusions
 data "aws_organizations_organizational_unit_descendant_accounts" "ou_accounts_to_exclude" {
-  for_each  = local.org_configuration == "excluded_ous_only" && !contains(var.exclude_ouids, local.root_org_unit[0]) ? var.exclude_ouids : []
+  for_each  = local.org_configuration == "excluded_ous_only" && !local.exclude_root_ou ? var.exclude_ouids : []
   parent_id = each.key
 }
-
 locals {
   # ACCOUNTS CONFIGURATION (determine user provided accounts configuration)
   accounts_configuration = (
diff --git a/modules/integrations/event-bridge/locals.tf b/modules/integrations/event-bridge/locals.tf
index af52356..1166adf 100644
--- a/modules/integrations/event-bridge/locals.tf
+++ b/modules/integrations/event-bridge/locals.tf
@@ -119,6 +119,8 @@ locals {
 
   # final targets to deploy organizational resources in
   deployment_targets_ous = lookup(local.deployment_options, local.org_configuration, local.deployment_options.default)
+  
+  exclude_root_ou = length(local.root_org_unit) > 0 ? contains(var.exclude_ouids, local.root_org_unit[0]) : false
 }
 
 #-----------------------------------------------------------------
@@ -127,7 +129,7 @@ locals {
 
 # if only exclude_ouids are provided and as long as it isn't Root OU, fetch all their child accounts to filter exclusions
 data "aws_organizations_organizational_unit_descendant_accounts" "ou_accounts_to_exclude" {
-  for_each  = local.org_configuration == "excluded_ous_only" && !contains(var.exclude_ouids, local.root_org_unit[0]) ? var.exclude_ouids : []
+  for_each  = local.org_configuration == "excluded_ous_only" && !local.exclude_root_ou ? var.exclude_ouids : []
   parent_id = each.key
 }
 
diff --git a/modules/onboarding/locals.tf b/modules/onboarding/locals.tf
index 3e6b4e1..93366a1 100644
--- a/modules/onboarding/locals.tf
+++ b/modules/onboarding/locals.tf
@@ -119,6 +119,8 @@ locals {
 
   # final targets to deploy organizational resources in
   deployment_targets_ous = lookup(local.deployment_options, local.org_configuration, local.deployment_options.default)
+  
+  exclude_root_ou = length(local.root_org_unit) > 0 ? contains(var.exclude_ouids, local.root_org_unit[0]) : false
 }
 
 #-----------------------------------------------------------------
@@ -127,7 +129,7 @@ locals {
 
 # if only exclude_ouids are provided and as long as it isn't Root OU, fetch all their child accounts to filter exclusions
 data "aws_organizations_organizational_unit_descendant_accounts" "ou_accounts_to_exclude" {
-  for_each  = local.org_configuration == "excluded_ous_only" && !contains(var.exclude_ouids, local.root_org_unit[0]) ? var.exclude_ouids : []
+  for_each  = local.org_configuration == "excluded_ous_only" && !local.exclude_root_ou ? var.exclude_ouids : []
   parent_id = each.key
 }
 
diff --git a/modules/vm-workload-scanning/locals.tf b/modules/vm-workload-scanning/locals.tf
index 56bc134..59a1cb6 100644
--- a/modules/vm-workload-scanning/locals.tf
+++ b/modules/vm-workload-scanning/locals.tf
@@ -133,6 +133,9 @@ locals {
 
   # final targets to deploy organizational resources in
   deployment_targets_ous = lookup(local.deployment_options, local.org_configuration, local.deployment_options.default)
+
+  // check if root is part of the excluded_ouids
+  isRootExcluded = length(local.root_org_unit) > 0 ? contains(var.exclude_ouids, local.root_org_unit[0]) : false
 }
 
 #-----------------------------------------------------------------
@@ -141,7 +144,7 @@ locals {
 
 # if only exclude_ouids are provided and as long as it isn't Root OU, fetch all their child accounts to filter exclusions
 data "aws_organizations_organizational_unit_descendant_accounts" "ou_accounts_to_exclude" {
-  for_each  = local.org_configuration == "excluded_ous_only" && !contains(var.exclude_ouids, local.root_org_unit[0]) ? var.exclude_ouids : []
+  for_each  = local.org_configuration == "excluded_ous_only" && !local.isRootExcluded ? var.exclude_ouids : []
   parent_id = each.key
 }