That's a KVM role. The idea in the 21th century it's to spawn a personal VM per user. Network boundaries would be defined in hypervisor devel, (VLANs, network share accesses and so on), you would need nearly no GPO's but different WMI setups with options prebaked.

The old NT based ACL's/GPO's and such are obsolete as I said when a cheap Linux KVM server can do tons of stuff by itself and firewalls (even professional ones) are dirt cheap. The old world died long ago.

You shouldn't be backing up profiles, accounts or settings from an AD domain. We should already have instant VM booting (from the network) with everything snapshotted to a working state since long ago.

Network boundaries are insufficient. A file share might need to be read-write for some users and read-only for others. Database access is even more granular.

Different users will have licenses to different software. Maintaining individualized VM images isn't sustainable.