Hey All, Here's my problem. I have a loopback GPO applied to some Citrix servers, which locks down the users. The admins, however, need "normal" access to the servers through RDP, so, per Darren's recommendation, I created a group for the admins which I permission with a Deny for the Apply Group Policy. This has worked, but not for all the admin accounts for some reason. I ran a USERENV.LOG to compare the an account that was properly having the GPO apply denied, and one that wasn't working as prescribed. In the logs, both are indicating that the GPO "is not getting applied" and is skipped. However, there is a point in the USERENV.LOG where it shows the GPO entries being backed out for the working one, and not being backed out for the non working one. For example: Working properly: USERENV(28c.165c) 17:20:51:094 ParseRegistryFile: Entering with <C:\Documents and Settings\goodGPOuser\ntuser.pol>. USERENV(28c.165c) 17:20:51:094 DeleteRegistryValue: Deleted Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWindowsUpdat e USERENV(28c.165c) 17:20:51:094 DeleteRegistryValue: Deleted Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\MemCheckBoxInR unDlg USERENV(28c.165c) 17:20:51:094 DeleteRegistryValue: Deleted Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMor ePrograms USERENV(28c.165c) 17:20:51:094 DeleteRegistryValue: Deleted Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetworkConne ctions ... 150 more lines... USERENV(28c.165c) 17:20:51:344 DeleteRegistryValue: Deleted Software\Policies\Microsoft\WindowsMediaPlayer\Protocols\MMS\ProxyPolicy USERENV(28c.165c) 17:20:51:344 DeleteRegistryValue: Deleted Software\Policies\Microsoft\WindowsMediaPlayer\Protocols\MMS\BypassProxyLo cal USERENV(28c.165c) 17:20:51:344 ParseRegistryFile: Leaving. USERENV(28c.165c) 17:20:51:344 ResetPolicies: resetting shell autorun value for server. USERENV(28c.165c) 17:20:51:344 ResetPolicies: Leaving. Not removing policy: 1. USERENV(28c.1630) 17:31:57:812 SetRegPermissionsOnPoliciesKey: Resetting permission on the policy key 2. USERENV(28c.1630) 17:31:57:812 ParseRegistryFile: Entering with <C:\Documents and Settings\badGPOuser\ntuser.pol>. 3. USERENV(28c.1630) 17:31:57:812 ParseRegistryFile: Leaving. 4. USERENV(28c.1630) 17:31:57:812 ResetPolicies: resetting shell autorun value for server. 5. USERENV(28c.1630) 17:31:57:812 ResetPolicies: Leaving. Notice that between lines 2 & 3, there are no "DeleteRegistryValue" lines, and so.... the policy is still in play. Thanks for any comments/clues/"where to goes to see what the heck is going ons" Robert Tannehill Sr. Computer Engineer Computer Sciences Corporation