Loopback Processing - GPO

This is basically assigning user based GPO's to an OU of machines. Any user logging into those machines, will get the user based policies/preferences.

Since this is a user policy, it gets a bit more complicated. Since it's a user policy, it doesn't apply to computers, only to users. Normally, a user policy follows a user around to whatever computer they log into, but you want this policy to not follow the user to those particular computers. Am I right?

If you want to apply a different user policy to users when they log into computers in a different OU, then you need to use Loopback policy mode (Computer\Administrative Templates\System\Group Policy.

It's difficult to explain, but when you apply the loopback mode to a particular computer OU, then any user that logs into a computer on that OU gets the user policies that are applied to that OU. Loopback processing can take two forms: Either replace or merge. In Replace, the User policies in the computer's OU replace all of the User policies that the user would normally have, and merge simply adds those policies to those that the user would normally have. I generally use merge, and simply “Disable” any policies that were enabled in other places that I don't want. If you want to completely replace the user's policies then replace mode is what you want.

As an example of how Microsoft planned for this to be used, you might have a classroom in your company, and when users are in the classroom, they can still log in as themselves, but are not permitted to store files locally. This can be accomplished with a loopback policy. It sounds a bit like what you want to happen.

You need to plan carefully with Loopback mode because it can get a bit confusing.