Solved

How do I exempt local admin group from a domain policy in XP?

Posted on 2008-10-09
7
736 Views
Last Modified: 2008-10-10
I have a Windows 2003 domain with a few group policies in AD. In particular I have one policy that locks down one group of users in an OU pretty extensively. One of these users is now getting a laptop and I need him to have local admin rights to the laptop, but I also need him to still be locked down when logging into any other computer on the network. As a policy we do not allow local login to the laptops or create local accounts on the laptops so he will still need to use his domain account.

Is there any way to exempt his domain account from the group policy lock down on this specific laptop? I tried adding hi to the local admin group but that had no effect. I have not been able to find any other solutions at this point.

Thank you in advance.
0
Comment
Question by:mzinkowsky
7 Comments
 
LVL 3

Expert Comment

by:jfrancis10
ID: 22677764
With out adding a local pc account there is no way to give the user elevated perms on a pc.  As long as the user logs onto the domain the domain policy will be enforced.  

You could remove his account from the policy ou and limit his log on to a spacific PC.  That would give him elavated perms but not allow him to log onto different pc.
0
 
LVL 8

Expert Comment

by:Sinder255248
ID: 22677770
You could place a GPO on an OU with just his settings in it and use the loopback policy in Replace mode.  Then apply that to an OU with just this laptop in it.  When it runs it will ignore his group policy and apply the one that's on this OU.  You could also use Restricted groups in this policy to place the user into the Local Admins group.  The user should then be able to logon to this particular machine without his current restrictions.  Just remember if there's anything in his current policy that he will still need on this laptop you'll have to include it in this new policy.
0
 
LVL 2

Expert Comment

by:Dan560
ID: 22678089
Have you tried granting him administrative permissions on the local PC?
go to control panel add the user name and the domain, and then it should come up with a menu that displays 'what level of access to you want to grant this user?

You can select from wide range of user groups for that local machine
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:mzinkowsky
ID: 22678309
Sinder could you please explain more about the loopback policy, I am unfamiliar with the term. I think I get the gist of what oyu are saying, but I'm not sure how to actually implement it.
Also to Dan thank you but I had already palced the user in the local admin machine on the laptop to no effect.
0
 
LVL 4

Expert Comment

by:BedouinDN
ID: 22684022
Is this going to remain specific to this one user, if other users are also going to have the same requirement when they get a laptop, could you not look into creating a WMI filter that excludes laptops?
0
 
LVL 8

Accepted Solution

by:
Sinder255248 earned 125 total points
ID: 22685150
Normally when a user logs onto a machine policy processing will take the settings from the user portion of the policy that is assigned to the User's OU, and the computer portion from a policy that is applied to the computer's OU.  When using the loopback feature, you have two choices:

Merge - This will combine the settings from the policy attached to the User's OU and the UserConfig portion of the policy assigned to the computers OU.  Any conflicting settings, the computer policy wins out.

Replace - GPO's attached to the user's OU are discarded.  Instead they are replaced with the user portion of the GPO that is attached to the computer.  This is good for things like kiosks etc where you might not want the normal user policies like software roleout etc applying.  In your scenario it means that the user can logon to the laptop without all the restrictions which are currently set in their User GPO.

The setting is at:  Computer Configuration > Admin Templates > System > Group Policy > "User Group Policy Loop Back Processing Mode"

Here's a microsoft article on it:  http://support.microsoft.com/kb/231287

BedouinDN - The WMI filtering is more for where the policy applies, in this case the user already has a GPO assigned, and for that to be ignored you would still have to apply Loopback Processing.  Not sure WMI filtering works when Loopback processing is enabled as you can't filter on computer (never tried it though).
0
 

Author Comment

by:mzinkowsky
ID: 22686016
Thank you Sinder that worked perfectly. I appreciate the help.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn about cloud computing and its benefits for small business owners.
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question