Apply user policies selectively

We have an Active Directory Domain running at 2003 native mode.  We have a small set of laptops we want to lockdown.  We found that we lock everything we need to using group policies and that works as long as the users are in the OU that we have linked the ou to.  the problem we are running into however is the following. We only want the Group Policy to apply to them if they are logging into these laptops.  If they are logging into their desktops we do not need them to be affected by this policy.  Does anyone have any ideas?  I have heard of Loopback processing of Group Policies but am not sure how to apply this.

Thanks in advance.

Raoul
LVL 2
amnhtechAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

John Gates, CISSPSecurity ProfessionalCommented:
Move the laptops into an OU and apply the policies to the laptops.
0
LauraEHunterMVPCommented:
More specifically, place the laptops in a separate OU and configure a GP with the appropriate lock-down settings. Within that GPO, configure loopback processing in the following node: Computer Settings\Administrative settings\System\Group Policy. Two options are available:

Merge mode   The user's "normal" GPOs are applied, then any overriding settings from the lockdown GPO take effect.

Replace mode   The user's "normal" GPOs are not applied, they only get the lockdown policies when logged into these laptops.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
amnhtechAuthor Commented:
I guess I should have been more clear.  I have created a special OU for these laptops and linked the policy to this OU.  However since the changes are in the user portion of the OU if the users are not in the OU that the policy is linked to the changes do not get applied.  The ou structure looks like this

Dept - +
           |
           Users
           |
           Computers
           |
           LockedDownLaptops

The Laptops are in the Locked... OU and the Users are in the Users OU

I am aware that we could link the policy to the Dept OU but we do not want all the computers in that OU to be affected by this policy

0
LauraEHunterMVPCommented:
Link the "Lockdown GPO" to the Lockdownlaptops OU, and configure that GPO with the loopback setting I described above.  This will cause the user settings of that OU to get applied when users log onto only the laptops in that OU.
0
amnhtechAuthor Commented:
Thanks Laura for the answer I figured the answer was in the loopback processing but when I tried it I selected merge rather than replace.  Once I did what you said it worked exactly like I needed it to.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.