Thanks Steven and Omar, I did just apply the security filtering to the Global groups for now. We are running in 2000 Mixed mode and I came across a good windowsITpro article explaining the differences (including support for nested groups). http://www.windowsitpro.com/Articles/ArticleID/7156/7156.html?Ad=1 We plan on raising It in the near future, so I'll try it again then. Thanks for your help. From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Omar Droubi Sent: Friday, May 04, 2007 2:03 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: group policy security filtering I would recommend that you check to see if you can raise your domain functionality to Native Mode then change this domain local group to a global group or a universal group and things should work as desired. With native mode group nesting is much more flexible If you cannot change the domain to native mode- just change the security filtering- not WMI filtering to apply the GPO to all of the global groups you want that policy to apply to. Omar From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Steven Sent: Thursday, May 03, 2007 5:13 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: group policy security filtering As long as the access denied if from Security Filtering, that is exactly how you should be applying your policies. managing them by group makes life a lot easier. i do have a question though, are you using WMI queries in your scripts, or anywhere else in your domain? Depending upon any added security specifically for WMI you should not need to do this. From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Johnson, Matthew Sent: Thursday, May 03, 2007 1:55 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] group policy security filtering I created a Domain Local Group and added it to the WMI Security filtering of my GPO. I then added several other Global groups as members of that Domain Local Group. When I try logging in as a user who is a member of one of those Global Groups, Group Policy Results says that Access is Denied to the GPO. I set it up this way so that I can apply GPO's by just adding a group to another group. Can this even work? Thanks - MJ CONFIDENTIALITY STATEMENT: This electronic message contains information from Fisher-Titus Medical Center and may be protected health information or other confidential and privileged information under law. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this message is prohibited. If you have received this electronic message in error, please notify the sender immediately by reply e-mail or telephone at 419/668-8101.