I have a Windows 2003 domain with a few group policies in AD. In particular I have one policy that locks down one group of users in an OU pretty extensively. One of these users is now getting a laptop and I need him to have local admin rights to the laptop, but I also need him to still be locked down when logging into any other computer on the network. As a policy we do not allow local login to the laptops or create local accounts on the laptops so he will still need to use his domain account.
Is there any way to exempt his domain account from the group policy lock down on this specific laptop? I tried adding hi to the local admin group but that had no effect. I have not been able to find any other solutions at this point.
Thank you in advance.