Or. Take the "Interactive Logon Message" out of the Default Domain Policy and put it into a second policy called "Interactive Logon Message", then put the DENY filtering on that policy. It is a bit more overhead (everyone now has to process two policies) but it is more intuitive and you don't have to remember that whenever you modify the Default Domain Policy, you also have to modify the other policy. I also dislike putting security filtering on the Default Domain Policy, again because people may get accidentally added to the group. Note: The default domain policy is normally "Enforced" but you could remove that if you wanted to and then have a policy that resets the message to blank for just the machines you want. The enforcement is really used to stop OU administrators from overwriting your Default Domain Policy. If you control all of the policies (and are careful) then enforcement is not really necessary. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml> &f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml> &f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml> &f=policyreporter.shtml _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Tuesday, 30 January 2007 5:06 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Default Domain Policy Stephen- If the Default Domain Policy is enforced, that's going to prevent you from having another GPO, linked higher at the domain level, from having an effect. I think your best bet is to use security group filtering to deny Apply Group Policy to the group containing your special computers, and then adding a new GPO that is a copy of the Default Domain Policy with an allow for that special group. At that point, you could link it closer to the machines instead of having to link it at the domain level. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Tappmeyer, Stephen [GCG-NAOT] Sent: Monday, January 29, 2007 9:48 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Default Domain Policy In my default domain policy, I have defined an "Interactive logon: Message text for users attempting to log on" and an "Interactive logon: Message title for users attempting to log on". This is working correctly, but I have been asked to provide an exception for a few workstations to allow for an auto logon to those workstations with a specific account. (Currently the message must be acknowledged.) I believe that since this is the default domain that is enforced, I cannot provided an exception unless I link another GPO to the root and ensure that the link order lists this new GPO above the default domain policy. (Security Filtering would be to a specific group to which machine accounts would be added for the exception.) What is the impact of adding this exception to after the Default Domain? Are there any other options? Thanks Stephen