After looking at this for a bit, here is what I have come up with. Here is my setup. At the root of the domain I have a policy. Under the OU of Test I have a policy. Under the OU Lab (which is an OU inside of Test) I have a policy. Domain policy has computer and user settings Test OU policy has computer and user settings Lab OU policy only has user settings If I don't put Authenicated Users as "apply group policy" allow on the Test OU (even though I have a group that my test user is in with the same settings) then that policy doesn't get applied nor does the policy on the Lab OU. If I run the Results wizard on this machine with my test user, without authenticated users then I get the following: Under the computer config summary \ Group Policy Objects \ Applied GPOs I get the default Domain Policy (but this policy has authenticated users "apply group policy") Under the computer config summary \ Group Policy Objects \ Denied GPOs Name Link Location Reason Denied Local Group Policy Local Empty {E12678B5-A484-4084-B0B2-9868F6ECDF9B} Root domain/Test/ Inaccessible {BD2C1ECB-FEF4-4AB3-B4B3-6D2D9673D858} Root domain/Test/Lab Inaccessible And under the User config these 2 policies don't even show up. Now if on the test OU I add authenticated users and "apply group policy" set to allow here is what happens: Under the computer config summary \ Group Policy Objects \ Applied GPOs I get the default Domain Policy (which has the authenticated users "apply group policy" set to allow) I also get the Test OU Policy (which now has the authenticated users "apply group policy" set to allow) Under the User config I now get all 3. Despite the fact that on the Lab OU Policy all I do not have authenticated users set but I do have the group my user is in set to allow "apply group policy" Also if I take a user that has deny on the Test OU policy it applies the computer config but only denies the user config, should it not deny the whole policy? From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Friday, October 17, 2008 11:12 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: permissions and gpos Scott- This should work if I understand your scenario. How have you granted the deny ACE? What are you denying? Have you looked at the Effective Permissions tab in the ACL editor to see if it thinks that your computer in question has the correct rights? Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Bean, Scott Sent: Friday, October 17, 2008 7:57 AM To: 'gptalk@xxxxxxxxxxxxx' Subject: [gptalk] permissions and gpos I have been upgrading my policies to the new vista format. I have a seemingly simple question about permissions. How do I stop the computer configuration from being applied to certain groups. I have to put authenticated users as apply for the computer configuration to take place. But if I have a nested group and set that as deny it still gets the computer configuration, which has caused a huge problem and headache this Friday morning. Basically I have a policy that I want one nested group to get but not another. Thanks in advance, Scott