If there is a GPO which is applied to all Domain Computers which disables something, is there a way to re-enable the disabled thing for some hosts in the domain, without taking those hosts out of the default Domain Computers group?
In other words, can another GPO, which re-enables the feature that was disabled, be applied to a subset OU, whose member computers are still members of Domain Computers? If so, where exactly in the domain hierarchy should that OU be made, and how should the two GPOs be applied?
Yes, absolutely, this is the very foundation of Group Policy hierarchy. Group Policies are applied in the following order:
Within each of the latter 3, each 'level' can have multiple GPO's and their order is decided by the system administrator. This is called the "link order" and the lowest number is processed last, which means that policy has the final say.
OU policies are applied starting at the "root", and then downwards, if that makes sense.
Here is some good reading on the subject:
http://technet.microsoft.com/en-us/library/cc785665(v=ws.10).aspx
With regards as to what to actually do with the individual GPO, well that kind of depends on the policy itself, but generally, they have the following three options:
And all that happens is that the very last policy to execute will have the final 'say' on what the final setting with. With the exception of 'Not Configured' where no changes are made. 'Not configured' is the default for all options within Group Policy when you create a new GPO.
So, if your current policy has a setting that is "Enabled", you need to create a GPO with the same setting "Disabled".
In addition to the answers posted already, you could also link the GPO to the domain (rather than creating an OU and moving the computer objects to this OU and linking your GPO to this OU) and use Security Filtering to filter the GPO so that it applies to only the computers required. You would only need to set this GPO's link order higher than the other GPO (the one that disables the setting).
I would suggest creating a group for the affected computers, adding the computer objects to this group, create and link your GPO, set the link order for the GPO, and configure Security Filtering for this GPO to apply only to the group you created for these computers.
Yes, the order in which the group policies get applied depends on their placing within the Active Directory structure, following the LSDO order (Local, Site, Domain, Organisational Unit).
So, if your domain computers policy is applied at the domain level, you can apply another policy at the OU level that contains the hosts that you want to override the settings for. The OU-level policy will override any duplicated settings.