How do I exempt local admin group from a domain policy in XP?

I have a Windows 2003 domain with a few group policies in AD. In particular I have one policy that locks down one group of users in an OU pretty extensively. One of these users is now getting a laptop and I need him to have local admin rights to the laptop, but I also need him to still be locked down when logging into any other computer on the network. As a policy we do not allow local login to the laptops or create local accounts on the laptops so he will still need to use his domain account.

Is there any way to exempt his domain account from the group policy lock down on this specific laptop? I tried adding hi to the local admin group but that had no effect. I have not been able to find any other solutions at this point.

Thank you in advance.
Who is Participating?
Sinder255248Connect With a Mentor Commented:
Normally when a user logs onto a machine policy processing will take the settings from the user portion of the policy that is assigned to the User's OU, and the computer portion from a policy that is applied to the computer's OU.  When using the loopback feature, you have two choices:

Merge - This will combine the settings from the policy attached to the User's OU and the UserConfig portion of the policy assigned to the computers OU.  Any conflicting settings, the computer policy wins out.

Replace - GPO's attached to the user's OU are discarded.  Instead they are replaced with the user portion of the GPO that is attached to the computer.  This is good for things like kiosks etc where you might not want the normal user policies like software roleout etc applying.  In your scenario it means that the user can logon to the laptop without all the restrictions which are currently set in their User GPO.

The setting is at:  Computer Configuration > Admin Templates > System > Group Policy > "User Group Policy Loop Back Processing Mode"

Here's a microsoft article on it:

BedouinDN - The WMI filtering is more for where the policy applies, in this case the user already has a GPO assigned, and for that to be ignored you would still have to apply Loopback Processing.  Not sure WMI filtering works when Loopback processing is enabled as you can't filter on computer (never tried it though).
With out adding a local pc account there is no way to give the user elevated perms on a pc.  As long as the user logs onto the domain the domain policy will be enforced.  

You could remove his account from the policy ou and limit his log on to a spacific PC.  That would give him elavated perms but not allow him to log onto different pc.
You could place a GPO on an OU with just his settings in it and use the loopback policy in Replace mode.  Then apply that to an OU with just this laptop in it.  When it runs it will ignore his group policy and apply the one that's on this OU.  You could also use Restricted groups in this policy to place the user into the Local Admins group.  The user should then be able to logon to this particular machine without his current restrictions.  Just remember if there's anything in his current policy that he will still need on this laptop you'll have to include it in this new policy.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Have you tried granting him administrative permissions on the local PC?
go to control panel add the user name and the domain, and then it should come up with a menu that displays 'what level of access to you want to grant this user?

You can select from wide range of user groups for that local machine
mzinkowskyAuthor Commented:
Sinder could you please explain more about the loopback policy, I am unfamiliar with the term. I think I get the gist of what oyu are saying, but I'm not sure how to actually implement it.
Also to Dan thank you but I had already palced the user in the local admin machine on the laptop to no effect.
Is this going to remain specific to this one user, if other users are also going to have the same requirement when they get a laptop, could you not look into creating a WMI filter that excludes laptops?
mzinkowskyAuthor Commented:
Thank you Sinder that worked perfectly. I appreciate the help.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.