Short of doing all the stuff below. Just create a new OU
and you can then create a new GPO. Inside that GPO you can
deny processing of ANY GPOs from the domain (i.e. you are
exempt).
To do this:
In you new GPO.
ComputerConfiguration -> Administrative Templates-> System-
Group Policy -> User GPO Loopback processing mode.
Enable it and then select REPLACE. You can then edit the
GPO for only items you want.
When creating the new policy, you will see a small check
box in lower left corner to BLOCK POLICY INHERITANCE
Hope this give you a quick fix.
-----Original Message-----
User configuration for Group Policy will not apply to local accounts, so if a user
with local admin credentials creates a local admin
account for themselves, then if
they logon with that account they will not have user configuration applied to them.
Computer configuration for Group Policy will apply
regardless of if domain or local
user logs on to the computer UNLESS the local
administrator removes the machine from
the domain. He could do that and then later add it back to the domain up to ten times
by default unless the authenticated users group has been removed from the add
workstations to the domain user right for Domain
Controller Security Policy. A local
admin could also remove a machine from the domain and leave it in it's own workgroup
and still be able to access resources while avoiding
Group Policy from the domain by
logging onto the local machine with an account that
exists in the AD domain as long
as the password is correct assuming that no ipsec
policies are enabled to require
access to domain resources. --- Steve
Group Policy from being applied
