GPPs: "Elevating" user A on computer X
I wanted the ability to elevate (turn off some bits of policy for) domain user A when they log on to a specific domain computer X, but not when they log on to domain computer Y. Further, it must *not* affect domain user B when they log on to the same computer X, so good old loopback won't help. And getting user A to logon with a local account on computer X definitely won't cut it.
I didn't think I'd ever get around this without some clunky code, but eventually I made this recipe:
a) Make and link a GPO with higher precedence than the GPOs containing settings we want to override.
b) Using Computer GPP Local Users and Groups add the domain user A to a local builtin group and target this at computer X. Usable local groups are Guests, Power Users, Administrators.
[With this GPP you can type any old junk in for a group name, but it only works if GPP can resolve the group name to a SID. Because I was doing this on a 2K8 DC I couldn't browse for the local group and it didn't get the SID, so I fixed that manually by just editing the well-known SID into the relevant XML file in Sysvol]
c) Using User GPP make a registry collection and target *the collection* at members of that local builtin group. Within that collection add lots of nicely arranged un-targeted items to undo various bits of normal policy.
Now whenever I want to elevate one or more users on one or machines, I just go and repeat step b) above which is relatively easy.