Solved

How do I exempt local admin group from a domain policy in XP?

Posted on 2008-10-09
7
734 Views
Last Modified: 2008-10-10
I have a Windows 2003 domain with a few group policies in AD. In particular I have one policy that locks down one group of users in an OU pretty extensively. One of these users is now getting a laptop and I need him to have local admin rights to the laptop, but I also need him to still be locked down when logging into any other computer on the network. As a policy we do not allow local login to the laptops or create local accounts on the laptops so he will still need to use his domain account.

Is there any way to exempt his domain account from the group policy lock down on this specific laptop? I tried adding hi to the local admin group but that had no effect. I have not been able to find any other solutions at this point.

Thank you in advance.
0
Comment
Question by:mzinkowsky
7 Comments
 
LVL 3

Expert Comment

by:jfrancis10
ID: 22677764
With out adding a local pc account there is no way to give the user elevated perms on a pc.  As long as the user logs onto the domain the domain policy will be enforced.  

You could remove his account from the policy ou and limit his log on to a spacific PC.  That would give him elavated perms but not allow him to log onto different pc.
0
 
LVL 8

Expert Comment

by:Sinder255248
ID: 22677770
You could place a GPO on an OU with just his settings in it and use the loopback policy in Replace mode.  Then apply that to an OU with just this laptop in it.  When it runs it will ignore his group policy and apply the one that's on this OU.  You could also use Restricted groups in this policy to place the user into the Local Admins group.  The user should then be able to logon to this particular machine without his current restrictions.  Just remember if there's anything in his current policy that he will still need on this laptop you'll have to include it in this new policy.
0
 
LVL 2

Expert Comment

by:Dan560
ID: 22678089
Have you tried granting him administrative permissions on the local PC?
go to control panel add the user name and the domain, and then it should come up with a menu that displays 'what level of access to you want to grant this user?

You can select from wide range of user groups for that local machine
0
 

Author Comment

by:mzinkowsky
ID: 22678309
Sinder could you please explain more about the loopback policy, I am unfamiliar with the term. I think I get the gist of what oyu are saying, but I'm not sure how to actually implement it.
Also to Dan thank you but I had already palced the user in the local admin machine on the laptop to no effect.
0
 
LVL 4

Expert Comment

by:BedouinDN
ID: 22684022
Is this going to remain specific to this one user, if other users are also going to have the same requirement when they get a laptop, could you not look into creating a WMI filter that excludes laptops?
0
 
LVL 8

Accepted Solution

by:
Sinder255248 earned 125 total points
ID: 22685150
Normally when a user logs onto a machine policy processing will take the settings from the user portion of the policy that is assigned to the User's OU, and the computer portion from a policy that is applied to the computer's OU.  When using the loopback feature, you have two choices:

Merge - This will combine the settings from the policy attached to the User's OU and the UserConfig portion of the policy assigned to the computers OU.  Any conflicting settings, the computer policy wins out.

Replace - GPO's attached to the user's OU are discarded.  Instead they are replaced with the user portion of the GPO that is attached to the computer.  This is good for things like kiosks etc where you might not want the normal user policies like software roleout etc applying.  In your scenario it means that the user can logon to the laptop without all the restrictions which are currently set in their User GPO.

The setting is at:  Computer Configuration > Admin Templates > System > Group Policy > "User Group Policy Loop Back Processing Mode"

Here's a microsoft article on it:  http://support.microsoft.com/kb/231287

BedouinDN - The WMI filtering is more for where the policy applies, in this case the user already has a GPO assigned, and for that to be ignored you would still have to apply Loopback Processing.  Not sure WMI filtering works when Loopback processing is enabled as you can't filter on computer (never tried it though).
0
 

Author Comment

by:mzinkowsky
ID: 22686016
Thank you Sinder that worked perfectly. I appreciate the help.
0

Join & Write a Comment

Suggested Solutions

Resolve DNS query failed errors for Exchange
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now