Loopback GPOs – Applying user policies to specific computers

Say you need to create a GPO which modifies user settings, but you only want them to apply when a user logs on to a specific machine. Essentially, you need to link user GPOs to machine accounts. This can be extremely useful when users log into multiple environments, for example, a user may log into their desktop, and then also log into a terminal server.

The solution is to create a GPO with the required user settings, linked to the OU of the machine account, and enable the User Group Policy loopback processing mode policy within the GPO. This setting applies policies defined in the User portion of the GPO to users logging into machines under the GPO.

The policy is located in Computer Configuration > Policies > Administrative Templates > System > Group Policy.

There are two modes with this policy: Merge and Replace.

Replace will overwrite all user settings with policies within the computer GPO. This means that only the settings within the computer GPO will be applied to users logging into that machine.

Merge will combine whatever GPOs are normally applied to the user with the computer GPO, if a conflict exists, the computer GPO will take precedence.

Reference: http://support.microsoft.com/?kbid=231287