Hi Jamie, This seems to be a much better way, thanks for pointing it out. However, I have created a new GPO, added a restricted group called Remote Desktop Users by using Browse/Check Name, added a particular user to the restricted group, applied the GPO to an individual workstation and linked it to an OU which contains a child OU with the workstation in. I have run gpupdate /force twice. Both times it tells me it requires a reboot, which I do. After the reboot the user I added to the restricted group does not appear in the local Remote Desktop Users group. Is the Remote Desktop Users group I added as a restricted group a domain group? If so how do I add local machine groups to restricted groups? All efforts to search for builtin/Remote or Remote have failed to return one. Many thanks Andrew From: Nelson, Jamie [mailto:Jamie.Nelson@xxxxxxx] Sent: 01 December 2008 17:57 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Merge GPO's assigning "Allow log on through TS"? Instead of changing your security policy, why not just use restricted groups to add users to the local "Remote Desktop Users" group (which already has TS logon access)? Jamie Nelson | Operations Consultant | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.200.8088 | http://www.dvn.com <http://www.dvn.com/> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Andrew McHale Sent: Monday, December 01, 2008 10:22 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Merge GPO's assigning "Allow log on through TS"? Hi all, Our Default Domain Policy adds Domain Admins to the "Allow log on through terminal services" on all machines in our domain. I created a new GPO to allow a specific single user account to log on to a specific virtualised XP box and applied at a sub-OU level containing the XP box object. Having been working remotely (using MSTSC) on the virtual XP box all day today absolutely fine, after I applied the policy it wouldn't let me on giving me the standard error "the local policy of this system does not permit you to logon interactively". I assume this is because the newer GPO is overriding the domain GPO due to it being more specifically applied? Going forward, I don't want to have to add all the users who are allowed to RDP into machines to every policy that specifies this permission just because in some instances I want to specify a particular user for a particular machine. Is it possible to merge policy settings? Is this where loopback processing would be applied? Thanks Andrew ________________________________ Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.