[Webinar] Streamline your web hosting managementRegister Today

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1050
  • Last Modified:

Block User Policy On A Single Computer

Here is my scenario; I have a single shared computer on my network that is used for running vendor supplied software. This comptuer is in an OU that reverses all policies applied to the comptuters on my network. However group policy will not allow users to modify the regstry on their on computers. Because the inability to modify the regisrty is a user policy, users are not able to install software on the computer on which I would like them to load vendor software. What I want to do is block user policy from being applied ONLY when users log into that one computer. When the users log into their normal computer I still need all policies applied. Is it possible to block users policies from being applied when users log into this one computer only?
1 Solution
You need to configure the "loopback" policy for the OU the machine account is in. Configure the mode to "Replace", and your regular user policies shouldn't be applied anymore.

Loopback Processing of Group Policy

Note that you can *not* use the loopback GPO to define user policies as well; you'll need to create additional GPOs for the user configuration (if you should need some). Note, too, that any user GPOs in that OU will be applied to *all* users logging on to machines in that OU, even though those users are not in/below the OU. To exclude administrators, use the security group filtering. I'd recommend to do the following (for any GPO, not this special OU only): For every GPO, create a global security group named, for example, GPol<GPO name> (*G*lobal *Pol*icy group for GPO <name>). Make the desired users member of this group. In the security settings for the GPO, remove the "Apply Policy" and "Read policy" right for the default "Authenticated Users", add it for the proper security group instead. That way you do not only have an easy control over who has which policies applied, you're pretty safe from surprises as well ...
Are there alot of users that you need to give rights to modify the registry?  You could just add the users on the local machine and give them Power User Rights.  This will allow them to install only on that machine.

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now