Right. That's the problem. You have the GPO linked at the domain level. So, your users are getting it regardless of where they're located in the domain, because they are in the Users container. What I see you have is the TerminalServerPolicy GPO linked to both the domain and the TS OU, but the TS OU link is disabled. What you should do is get rid of the domain-level link and then you should be only effecting those users logging into the one TS. From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Savanah Garrison Sent: Monday, June 30, 2008 4:10 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: GP apply per machine? Here is a picture of my GP. Maybe I have it linked wrong? _____ From: Darren Mar-Elia [mailto:darren@xxxxxxxxxx] Sent: Monday, June 30, 2008 5:16 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: GP apply per machine? Where is the user account in AD? Is it in the same OU as the terminal servers? If so, then that will not work. If not, then something else must be going on. Here's how it works. You enable a computer for loopback. That means that any GPOs that contain user settings, that are normally only processed by the computer, get processed by any user logging into the loopback enabled machine. If a machine is not enabled for loopback, then the only way a user logging into that machine would get the same settings, is if the GPO enabling those settings is linked too high in the AD hierarchy, or, your user account is in the same OU as the TS box. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Savanah Garrison Sent: Monday, June 30, 2008 3:05 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: GP apply per machine? Okay. I'm still not understanding. I have one user logging on to both TS boxes. I want the policy to apply only on one box, but not the other. Sorry for not getting it! This is my first terminal server. Thanks for your help! _____ From: Darren Mar-Elia [mailto:darren@xxxxxxxxxx] Sent: Monday, June 30, 2008 3:36 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: GP apply per machine? Savannah- If the user account is in line to process the user policy on the loopback GPO, then its going to get it unless you also permission the loopback GPO to only allow the group of users that you want to process that policy the ability to do so. In other words, you must have the loopback GPO linked in such a way that the user accounts that you don't want to apply it to are processing it as a normal course of their policy processing cycle. If you only want specific users to process it, then only allow those users the ability to process the policy. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Savanah Garrison Sent: Monday, June 30, 2008 12:29 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: GP apply per machine? Yes, I only have the machine, and the one test user listed in Security Filtering. I ran gp results on the 2nd box and my policy is not applying to the box, but it IS applying to the user. I want to only apply to the user if the user is on the OTHER box. Here is a screenshot of where I set the loopback processing: _____ From: Darren Mar-Elia [mailto:darren@xxxxxxxxxx] Sent: Monday, June 30, 2008 1:05 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: GP apply per machine? Did you remove the Authenticated Users group? Try running GP Results Wizard against that 2nd TS box and see if it says that the GPO is applying to it, and why. From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Savanah Garrison Sent: Monday, June 30, 2008 10:50 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: GP apply per machine? I have this set as well. I have the single server along with the users it should apply too listed in security filtering, but the policy is still applying when I log on to my second terminal server. _____ From: Darren Mar-Elia [mailto:darren@xxxxxxxxxx] Sent: Monday, June 30, 2008 11:24 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: GP apply per machine? Savannah, You would use security filtering of the GPO that applies the loopback setting. So, for example, if your TS machines are called TS1 and TS2 and you wanted only TS2 to run in loopback mode, you would remove "Authenticated Users" from the loopback GPO and add the TS2 machine account to the GPO's security filter. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Savanah Garrison Sent: Monday, June 30, 2008 9:23 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: GP apply per machine? Ok, I had this enabled, but the policy is still applying to both terminal servers. How do I tell it which one it needs to apply too? _____ From: Nelson, Jamie [mailto:Jamie.Nelson@xxxxxxx] Sent: Monday, June 30, 2008 8:56 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: GP apply per machine? Savanah, Yes, that is called loopback processing. It means that User policy gets applied based on the location of the computer object, not the user object. Check out this Microsoft KB article for more details: http://support.microsoft.com/?id=231287 Regards, Jamie Nelson | Infrastructure Consultant | BI&T Operations | Devon Energy | Work: 405.552.8054 | http://www.dvn.com <http://www.dvn.com/> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Savanah Garrison Sent: Monday, June 30, 2008 8:54 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] GP apply per machine? Is there a way to get my group policy to apply only if the users log in to one of my terminal servers, but not the other? Thanks! CONFIDENTIAL NOTICE: This electronic transmission and any documents or other writings sent with it constitute confidential information intended only for the named recipient. If you have received this communication in error, do not read it. Please reply to the sender that you have received the message in error, then delete the message. Any disclosure, copying, distribution or the taking of any action concerning the contents of this communication or any attachment(s) by anyone other than the named recipient is strictly prohibited. _____ Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system. CONFIDENTIAL NOTICE: This electronic transmission and any documents or other writings sent with it constitute confidential information intended only for the named recipient. If you have received this communication in error, do not read it. Please reply to the sender that you have received the message in error, then delete the message. Any disclosure, copying, distribution or the taking of any action concerning the contents of this communication or any attachment(s) by anyone other than the named recipient is strictly prohibited. CONFIDENTIAL NOTICE: This electronic transmission and any documents or other writings sent with it constitute confidential information intended only for the named recipient. If you have received this communication in error, do not read it. Please reply to the sender that you have received the message in error, then delete the message. Any disclosure, copying, distribution or the taking of any action concerning the contents of this communication or any attachment(s) by anyone other than the named recipient is strictly prohibited. CONFIDENTIAL NOTICE: This electronic transmission and any documents or other writings sent with it constitute confidential information intended only for the named recipient. If you have received this communication in error, do not read it. Please reply to the sender that you have received the message in error, then delete the message. Any disclosure, copying, distribution or the taking of any action concerning the contents of this communication or any attachment(s) by anyone other than the named recipient is strictly prohibited. CONFIDENTIAL NOTICE: This electronic transmission and any documents or other writings sent with it constitute confidential information intended only for the named recipient. If you have received this communication in error, do not read it. Please reply to the sender that you have received the message in error, then delete the message. Any disclosure, copying, distribution or the taking of any action concerning the contents of this communication or any attachment(s) by anyone other than the named recipient is strictly prohibited.