Block User Policy On A Single Computer

Posted on 2005-04-25
Last Modified: 2012-08-14
Here is my scenario; I have a single shared computer on my network that is used for running vendor supplied software. This comptuer is in an OU that reverses all policies applied to the comptuters on my network. However group policy will not allow users to modify the regstry on their on computers. Because the inability to modify the regisrty is a user policy, users are not able to install software on the computer on which I would like them to load vendor software. What I want to do is block user policy from being applied ONLY when users log into that one computer. When the users log into their normal computer I still need all policies applied. Is it possible to block users policies from being applied when users log into this one computer only?
Question by:tommy_hlfgr
    LVL 82

    Accepted Solution

    You need to configure the "loopback" policy for the OU the machine account is in. Configure the mode to "Replace", and your regular user policies shouldn't be applied anymore.

    Loopback Processing of Group Policy

    Note that you can *not* use the loopback GPO to define user policies as well; you'll need to create additional GPOs for the user configuration (if you should need some). Note, too, that any user GPOs in that OU will be applied to *all* users logging on to machines in that OU, even though those users are not in/below the OU. To exclude administrators, use the security group filtering. I'd recommend to do the following (for any GPO, not this special OU only): For every GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. In the security settings for the GPO, remove the "Apply Policy" and "Read policy" right for the default "Authenticated Users", add it for the proper security group instead. That way you do not only have an easy control over who has which policies applied, you're pretty safe from surprises as well ...
    LVL 13

    Expert Comment

    Are there alot of users that you need to give rights to modify the registry?  You could just add the users on the local machine and give them Power User Rights.  This will allow them to install only on that machine.

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
    Learn about cloud computing and its benefits for small business owners.
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now