Hi Scott, I am not sure exactly what you mean, but I think the answer may lie in LoopBack processing. It sounds like you may have Loopback processing enabled as REPLACE on your TS OU. Of course the User modeling tool should still give the correct answer. In these sorts of cases, I always enable verbose logging then check out the UserEnv log to find out what is REALLY happening, rather than what is supposed to happen. To help, I have a free tool that makes more sense of the log. You can download it from http://www.sysprosoft.com/policyreporter.shtml You probably know all about Loopback processing, but if not it allows you to give the user different sets of policies depending which machine they log on to. If you set loop back processing on the Machine policy in the TS OU to REPLACE you can get two different sets of policies:- When User logs on to a LAB PC they will get Policies D, A When User logs on to a TS OU they will get Policies E, A If you set loop back processing on the Machine policy in the TS OU to MERGE you can get two different sets of policies:- When User logs on to a LAB PC they will get Policies D, A When User logs on to a TS OU they will get Policies D, A, E, A You could of course set Loopback processing on each of the specific LAB policies. If this was set to replace they would get C, B, A . If it was set to merge, they would get D, A, C, B, A (Note: I have shown the policies in the order that they will be applied. In the "merge" case, the domain policy actually gets applied twice) Hope this helps. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml> &f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml> &f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml> &f=policyreporter.shtml _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Bean, Scott Sent: Thursday, 18 October 2007 4:21 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] user config questions First let me describe my current setup. --domain.local (A) |----Specific OU |----Labs(B) |----Specific Lab(C) |----Users(D) |----TS OU(E) At the domain.local level I have 3 Policies that affect the domain. At the specific OU level I have nothing. At the Labs level I have one policy. (I have many Specific Lab OUs but am keeping it simple - Each having its own policy due to desktop and start menu redirection) At the Specific Lab level I have one policy that contains user config settings. All Users that are in the Users OU that log onto a machine in the Specific Lab OU get the correct settings. Now at the TS OU I have 2 policies. One is Computer Config. The other is User Config. Basically I need to have multiple User Configs based on groups. The main reason for this is that we do desktop and start menu redirection. The TS OU is for a group of 2003 Terminal Servers. My user that is in the Users (listed above) is not getting the correct user config when logging into a Terminal Server. If I move the user to the TS OU the Group Policy Modeling tool shows that I should get the correct policies but when I log on it still does not have the correct settings. If the user is in the Users OU and I check the Group Policy Modeling tool then the user config policy doesn't show up under applied gpos. I guess my question is will I have to block inheritance on all the Specific Lab OUs then instead of having my user config policy on the TS OU move it to the Users OU? Or what exactly is the best way to do this? Sorry if this is somewhat confusing.