You're saying that you have user settings that you want to apply to users only when they logon to certain computers? Sounds difficult, eh? It's not difficult at all. It sounds like a job for loopback group policy processing!
Assume the following:
[Domain] mydomain.com.org.net.local
|
|--[OU] Special Computers
| |
| |-- [Computer] COMPUTER 1
| |
| |-- [Computer] COMPUTER 2
| ...
|
|--[OU] User Accounts
|
|--[User] Bob
|
|--[User] Alice
...
You would like to apply a user setting (such as running a logon script, or applying other types of GPO user settings) for all users who logon to computers in the "Special Computers" OU. When they logon to computers located in other OUs, though, you do not want these special settings to apply.
Create and link a GPO to the "Special Computers" OU. Specify in that GPO all the user-related settings you want to apply.
("But wait, Evan! The user's account objects aren't in the 'Special Computers' OU!" Yes. I know that. Stay w/ me here. Most AD admins I've met don't understand loopback policy processing and get scared. I've seen horrible hacks like creating secondary user accounts for users to logon with when using "special computers", etc... >shudder<)
In the GPO you created, go into the COMPUTER "Administrative Templates", "System", "Group Policy", and locate the setting "User Group Policy loopback processing mode". Enable this setting. In the "Mode" box, choose "Replace" if you want all the user's "normal" group policy settings to be ignored and only the user policy settings in this new GPO to apply. Choose "Merge" if you want the user settings in the GPO to apply after all their normal user settings have applied.
My opinion is that this is a lot cleaner than "hacks" involving "If computer == blah" in logon scripts.
My advice to you would be to do what you're doing with a Group Policy Preference (GPP)registry settings, rather than with a logon script. It will apply one time, leaving default settings in the users' registry, but the user will be able to change the settings freely in the future without having them "smashed" each time they logon.
If these are Windows Server 2008 machines, like your tag says, then there's really no excuse not to use GPP registry settings. Have a look at the articles below for some more details. This is a really nice feature of W2K8, and something you should be taking advantage of.
http://www.microsoft.com/downloads/details.aspx?FamilyID=42e30e3f-6f01-4610-9d6e-f6e0fb7a0790&DisplayLang=en
http://blogs.technet.com/grouppolicy/archive/2008/03/04/gp-policy-vs-preference-vs-gp-preferences.aspx
There is no API that I'm aware of to make automated changes to the local Group Policy Object on Windows XP (called "Local Group Policy" in newer versions of Windows).
I've had some success manually copying the contents of the %SystemRoot%\System32\GroupPolicy folder between machines. As long as you don't have machine-specific entries there (referencing the machine SID) this should be possible. That won't be in any way "supported" by Microsoft, though, and if it breaks you get to keep the pieces.
Here's an example of a script that modifies local group policy that you might want to look at, too. It's not using any "supported" APIs-- it's just banging on the GPT.INI file. This may work but is definitely "unsupported", too.
Based on your comment to @Zoredache I think you're better off manually doing this to a few computers rather than trying to script it to a bunch of computers. You're going to end up making the person or department who handles Domain Group Policy very unhappy if they have to undo a bunch of local changes on client computers (which are just as difficult to undo as they are to make in the first place).
Best Answer
Did you try REG.EXE?
REG.EXE allows you to do many Registry operations from a command line. This can be useful when you want to quickly make a change without opening RegEdit, and it also allows you to embed registry operations in logon scripts and batch files.