In other words, I don't want this set of users to see the floppy drive, be able to right click, open calculator, etc., when they are using any of the machines within the OU, BUT have full access rights when they are using machines outside of the OU in Group Policy. All the machines and users are in the same domain. Essentially, is it possible to have a GPO that restricts user rights extensively) apply to a group/OU of users only when they login to a specific group/OU of machines?
This sounds like a classic case for using loopback policy processing. As you know, the users are getting the policies which apply to their user accounts based on where they are in Active Directory, and likewise for machines. Loopback means that you can get a machine to process policies which have user settings and apply these to users which log on to them, even though that user policy may not be linked to where the real user account is. This is perfect for things like internet kiosk machines or terminal servers which typically need very specific settings that you don't want to apply to your users normally.
So how do you set it up?
Create and link a policy to the OU where the machines are and edit it. Under Administrative TemplatesSystemGroup Policy, you want to configure the setting for "User Group Policy loopback processing mode." You need to choose a mode -- "replace" will ignore all the user's own settings and only use those settings which are in scope for the machine (so linked to your special OU), whereas "merge" will use both, and the machine's looped-back user settings will take precedence in the case of any conflict.
So here we are setting a group policy to tell Group Policy how to function. You can set the user settings you want in this same policy to keep it all together, or link specific user policies to the OU in the normal way.
This was first published in September 2006