Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


How do I exempt local admin group from a domain policy in XP?

Posted on 2008-10-09
Medium Priority
Last Modified: 2008-10-10
I have a Windows 2003 domain with a few group policies in AD. In particular I have one policy that locks down one group of users in an OU pretty extensively. One of these users is now getting a laptop and I need him to have local admin rights to the laptop, but I also need him to still be locked down when logging into any other computer on the network. As a policy we do not allow local login to the laptops or create local accounts on the laptops so he will still need to use his domain account.

Is there any way to exempt his domain account from the group policy lock down on this specific laptop? I tried adding hi to the local admin group but that had no effect. I have not been able to find any other solutions at this point.

Thank you in advance.
Question by:mzinkowsky
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 22677764
With out adding a local pc account there is no way to give the user elevated perms on a pc.  As long as the user logs onto the domain the domain policy will be enforced.  

You could remove his account from the policy ou and limit his log on to a spacific PC.  That would give him elavated perms but not allow him to log onto different pc.

Expert Comment

ID: 22677770
You could place a GPO on an OU with just his settings in it and use the loopback policy in Replace mode.  Then apply that to an OU with just this laptop in it.  When it runs it will ignore his group policy and apply the one that's on this OU.  You could also use Restricted groups in this policy to place the user into the Local Admins group.  The user should then be able to logon to this particular machine without his current restrictions.  Just remember if there's anything in his current policy that he will still need on this laptop you'll have to include it in this new policy.

Expert Comment

ID: 22678089
Have you tried granting him administrative permissions on the local PC?
go to control panel add the user name and the domain, and then it should come up with a menu that displays 'what level of access to you want to grant this user?

You can select from wide range of user groups for that local machine
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 22678309
Sinder could you please explain more about the loopback policy, I am unfamiliar with the term. I think I get the gist of what oyu are saying, but I'm not sure how to actually implement it.
Also to Dan thank you but I had already palced the user in the local admin machine on the laptop to no effect.

Expert Comment

ID: 22684022
Is this going to remain specific to this one user, if other users are also going to have the same requirement when they get a laptop, could you not look into creating a WMI filter that excludes laptops?

Accepted Solution

Sinder255248 earned 500 total points
ID: 22685150
Normally when a user logs onto a machine policy processing will take the settings from the user portion of the policy that is assigned to the User's OU, and the computer portion from a policy that is applied to the computer's OU.  When using the loopback feature, you have two choices:

Merge - This will combine the settings from the policy attached to the User's OU and the UserConfig portion of the policy assigned to the computers OU.  Any conflicting settings, the computer policy wins out.

Replace - GPO's attached to the user's OU are discarded.  Instead they are replaced with the user portion of the GPO that is attached to the computer.  This is good for things like kiosks etc where you might not want the normal user policies like software roleout etc applying.  In your scenario it means that the user can logon to the laptop without all the restrictions which are currently set in their User GPO.

The setting is at:  Computer Configuration > Admin Templates > System > Group Policy > "User Group Policy Loop Back Processing Mode"

Here's a microsoft article on it:

BedouinDN - The WMI filtering is more for where the policy applies, in this case the user already has a GPO assigned, and for that to be ignored you would still have to apply Loopback Processing.  Not sure WMI filtering works when Loopback processing is enabled as you can't filter on computer (never tried it though).

Author Comment

ID: 22686016
Thank you Sinder that worked perfectly. I appreciate the help.

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Let's recap what we learned from yesterday's Skyport Systems webinar.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question