How do you override a GPO with another GPO?
Yes, absolutely, this is the very foundation of Group Policy hierarchy. Group Policies are applied in the following order:
- Local Group Policy (Based on the client machine - this is not connected to your AD Group Policy)
- Site Level Policies
- Domain Level Policies
- OU Level Policies
Within each of the latter 3, each 'level' can have multiple GPO's and their order is decided by the system administrator. This is called the "link order" and the lowest number is processed last, which means that policy has the final say.
OU policies are applied starting at the "root", and then downwards, if that makes sense.
Here is some good reading on the subject:
http://technet.microsoft.com/en-us/library/cc785665(v=ws.10).aspx
With regards as to what to actually do with the individual GPO, well that kind of depends on the policy itself, but generally, they have the following three options:
- Enabled
- Disabled
- Not Configured
And all that happens is that the very last policy to execute will have the final 'say' on what the final setting with. With the exception of 'Not Configured' where no changes are made. 'Not configured' is the default for all options within Group Policy when you create a new GPO.
So, if your current policy has a setting that is "Enabled", you need to create a GPO with the same setting "Disabled".
In addition to the answers posted already, you could also link the GPO to the domain (rather than creating an OU and moving the computer objects to this OU and linking your GPO to this OU) and use Security Filtering to filter the GPO so that it applies to only the computers required. You would only need to set this GPO's link order higher than the other GPO (the one that disables the setting).
I would suggest creating a group for the affected computers, adding the computer objects to this group, create and link your GPO, set the link order for the GPO, and configure Security Filtering for this GPO to apply only to the group you created for these computers.