We have a domain setup with various OUs reflecting the various departments in the company. Policies have been applied to some of these OUs, while some policies sit at the domain level. One of the domain level GPOs disables the firewall service on Win XP. I need to set it so that this firewall policy does NOT apply to laptop users. The problem I have is that the laptop users are spread between various OUs and moving their user accounts into a seperate LAPTOP_USER OU is not an option as various different policies affect the various OUs they are already in. I thought that perhaps if I created a LAPTOP_USERS OU and put their COMPUTER accounts into it (rather than their USER accounts)then applied a seperate policy to it to switch ON the firewall service then this might work. It doesn't seem to though ! I'm fairly new to ADS and policies, so forgive my naivety if I'm missing something obvious, but could anyone recommend a better way to achieve what I want ? thanks in advance for any help

What you suggested you tried about putting the laptop computers into a group policy OU themselves, should work. Since you are disabling the windows firewall on the domain level policy however, it is likely what is still causing the problem with the firewall not being enabled. You may need to remove that setting from the domain wide policy, and disable it in those that you do not want the firewall running for, and enable for the laptop OU. Hope that helps.

apply the policy to a group of computers, not domain computers. make one glocal group "laptops" and "desktops" Add allthe computers into that group. remove the "domain computers" from the apply to section and add just "desktops" or move the desktops and laptops into their own folder. This way is easier. I would make a OU "computers" with sub OU's "workstations" and "laptops" and apply policy to the laptops OU