How do I exempt local admin group from a domain policy in XP?

Posted on 2008-10-09
Last Modified: 2008-10-10
I have a Windows 2003 domain with a few group policies in AD. In particular I have one policy that locks down one group of users in an OU pretty extensively. One of these users is now getting a laptop and I need him to have local admin rights to the laptop, but I also need him to still be locked down when logging into any other computer on the network. As a policy we do not allow local login to the laptops or create local accounts on the laptops so he will still need to use his domain account.

Is there any way to exempt his domain account from the group policy lock down on this specific laptop? I tried adding hi to the local admin group but that had no effect. I have not been able to find any other solutions at this point.

Thank you in advance.
Question by:mzinkowsky

Expert Comment

ID: 22677764
With out adding a local pc account there is no way to give the user elevated perms on a pc.  As long as the user logs onto the domain the domain policy will be enforced.  

You could remove his account from the policy ou and limit his log on to a spacific PC.  That would give him elavated perms but not allow him to log onto different pc.

Expert Comment

ID: 22677770
You could place a GPO on an OU with just his settings in it and use the loopback policy in Replace mode.  Then apply that to an OU with just this laptop in it.  When it runs it will ignore his group policy and apply the one that's on this OU.  You could also use Restricted groups in this policy to place the user into the Local Admins group.  The user should then be able to logon to this particular machine without his current restrictions.  Just remember if there's anything in his current policy that he will still need on this laptop you'll have to include it in this new policy.

Expert Comment

ID: 22678089
Have you tried granting him administrative permissions on the local PC?
go to control panel add the user name and the domain, and then it should come up with a menu that displays 'what level of access to you want to grant this user?

You can select from wide range of user groups for that local machine
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.


Author Comment

ID: 22678309
Sinder could you please explain more about the loopback policy, I am unfamiliar with the term. I think I get the gist of what oyu are saying, but I'm not sure how to actually implement it.
Also to Dan thank you but I had already palced the user in the local admin machine on the laptop to no effect.

Expert Comment

ID: 22684022
Is this going to remain specific to this one user, if other users are also going to have the same requirement when they get a laptop, could you not look into creating a WMI filter that excludes laptops?

Accepted Solution

Sinder255248 earned 125 total points
ID: 22685150
Normally when a user logs onto a machine policy processing will take the settings from the user portion of the policy that is assigned to the User's OU, and the computer portion from a policy that is applied to the computer's OU.  When using the loopback feature, you have two choices:

Merge - This will combine the settings from the policy attached to the User's OU and the UserConfig portion of the policy assigned to the computers OU.  Any conflicting settings, the computer policy wins out.

Replace - GPO's attached to the user's OU are discarded.  Instead they are replaced with the user portion of the GPO that is attached to the computer.  This is good for things like kiosks etc where you might not want the normal user policies like software roleout etc applying.  In your scenario it means that the user can logon to the laptop without all the restrictions which are currently set in their User GPO.

The setting is at:  Computer Configuration > Admin Templates > System > Group Policy > "User Group Policy Loop Back Processing Mode"

Here's a microsoft article on it:

BedouinDN - The WMI filtering is more for where the policy applies, in this case the user already has a GPO assigned, and for that to be ignored you would still have to apply Loopback Processing.  Not sure WMI filtering works when Loopback processing is enabled as you can't filter on computer (never tried it though).

Author Comment

ID: 22686016
Thank you Sinder that worked perfectly. I appreciate the help.

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This article runs through the process of deploying a single EXE application selectively to a group of user.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question