Instead of changing your security policy, why not just use restricted groups to add users to the local "Remote Desktop Users" group (which already has TS logon access)? Jamie Nelson | Operations Consultant | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.200.8088 | http://www.dvn.com <http://www.dvn.com/> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Andrew McHale Sent: Monday, December 01, 2008 10:22 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Merge GPO's assigning "Allow log on through TS"? Hi all, Our Default Domain Policy adds Domain Admins to the "Allow log on through terminal services" on all machines in our domain. I created a new GPO to allow a specific single user account to log on to a specific virtualised XP box and applied at a sub-OU level containing the XP box object. Having been working remotely (using MSTSC) on the virtual XP box all day today absolutely fine, after I applied the policy it wouldn't let me on giving me the standard error "the local policy of this system does not permit you to logon interactively". I assume this is because the newer GPO is overriding the domain GPO due to it being more specifically applied? Going forward, I don't want to have to add all the users who are allowed to RDP into machines to every policy that specifies this permission just because in some instances I want to specify a particular user for a particular machine. Is it possible to merge policy settings? Is this where loopback processing would be applied? Thanks Andrew Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.