In other words, I don't want this set of users to see the floppy drive, be able to right click, open calculator,...
etc., when they are using any of the machines within the OU, BUT have full access rights when they are using machines outside of the OU in Group Policy. All the machines and users are in the same domain. Essentially, is it possible to have a GPO that restricts user rights extensively) apply to a group/OU of users only when they login to a specific group/OU of machines?
This sounds like a classic case for using loopback policy processing. As you know, the users are getting the policies which apply to their user accounts based on where they are in Active Directory, and likewise for machines. Loopback means that you can get a machine to process policies which have user settings and apply these to users which log on to them, even though that user policy may not be linked to where the real user account is. This is perfect for things like internet kiosk machines or terminal servers which typically need very specific settings that you don't want to apply to your users normally.
So how do you set it up?
Create and link a policy to the OU where the machines are and edit it. Under Administrative TemplatesSystemGroup Policy, you want to configure the setting for "User Group Policy loopback processing mode." You need to choose a mode -- "replace" will ignore all the user's own settings and only use those settings which are in scope for the machine (so linked to your special OU), whereas "merge" will use both, and the machine's looped-back user settings will take precedence in the case of any conflict.
So here we are setting a group policy to tell Group Policy how to function. You can set the user settings you want in this same policy to keep it all together, or link specific user policies to the OU in the normal way.
Dig Deeper on Microsoft Active Directory Design and Administration
Related Q&A from Jeremy Moskowitz
Expert Jeremy Moskowitz shows a reader one of the best ways to set permissions for a new user in Group Policy.continue reading
Expert Jeremy Moskowitz explains how to use Group Policy for a Windows 2000 Server to apply proxy settings automatically on all the workstations in a...continue reading
Can I append Domain Groups to the local 'Admin' Group of Domain Computers without affecting the exis
Expert Jeremy Moskowitz explains what an admin would need to do to append Domain Groups to the local 'Admin' Group of Domain Computers without ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.