Stephen- If the Default Domain Policy is enforced, that's going to prevent you from having another GPO, linked higher at the domain level, from having an effect. I think your best bet is to use security group filtering to deny Apply Group Policy to the group containing your special computers, and then adding a new GPO that is a copy of the Default Domain Policy with an allow for that special group. At that point, you could link it closer to the machines instead of having to link it at the domain level. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Tappmeyer, Stephen [GCG-NAOT] Sent: Monday, January 29, 2007 9:48 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Default Domain Policy In my default domain policy, I have defined an "Interactive logon: Message text for users attempting to log on" and an "Interactive logon: Message title for users attempting to log on". This is working correctly, but I have been asked to provide an exception for a few workstations to allow for an auto logon to those workstations with a specific account. (Currently the message must be acknowledged.) I believe that since this is the default domain that is enforced, I cannot provided an exception unless I link another GPO to the root and ensure that the link order lists this new GPO above the default domain policy. (Security Filtering would be to a specific group to which machine accounts would be added for the exception.) What is the impact of adding this exception to after the Default Domain? Are there any other options? Thanks Stephen