Hi Asaf, What I suspect you have done is attach your main Policy at the domain level and your administrator's policy at a lower OU. Because Group Policy processing inherits Policies from the lower levels, the administrators will get both sets of policies, i.e. those linked to their OU, plus those linked at the domain level. The exact behavior is quite complex, but normally any settings applied at the child OU will override the settings at the domain level. Therefore if you activate the policy at the domain level and then deactivate it at the Administrator OU level, you will get the desired behavior. You can also enable Blocking at the Administrator OU level which will stop them getting Polices from the Domain level. However if you activate No Override on the domain level policy, this will turn it in to a "Super Policy" that no one can beat. It will ignore Blocking and will be the last to be applied and so no one can override it. You can also apply security filtering to say that some people do not get the policy What you should do is split your Corporate wide policy in to two parts. The first part should be the part that everyone gets and is not to be changed even for administrators. Connect that at the domain level and mark it as No Override. The second half are "optional Policies" and would also apply at the domain level. To cater for your administrators, you can use security filtering (put the administrators in the deny apply list), you can use Blocking so that the Administrators OU does not receive the policy, or you can have another policy for the administrators that resets it to the desired values. Alan Cuthbertson Policy Management Software (Now with ADMX and Preference support):- http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml> &f=pol_summary.shtml ADM Template Editor(Now with ADMX support):- http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml> &f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml> &f=policyreporter.shtml _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Asaf Efrati Sent: Friday, 8 August 2008 1:48 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Default Gpo overides everything? Hello everyone, I have another troubling issue with my Gpo, I have set the "default Group policy" to deny certain options (or enable them) which I think is fit for the whole company, my problem is that it seems my administrator group who has another separate Gpo assigned To them is effected by this default gpo, mainly it's the default Administrator account and not let's say John (who is also part of the administrator group), for now I just re-enabled the policy I denied. For my general knowledge without direct relation to the my question Can I set the gpo priority or order in which it is applied? Thank you, Asaf Efrati | IT & Security | eToro A 32 Habarzel St. Tel Aviv 69710, Israel M +972 545671587 F +9723 7686712 W www.eToro.com etoro-logo If you have received this email message in error, please notify the sender immediately by telephone or return email and refrain from taking any action relating to the content of the email. Thereafter, please destroy the original message without making a copy. You may not use the content of the email without first obtaining prior written consent from the sender. You may not forward this email to anyone other than the sender for notification purposes.