Alan, For loopback processing you have the concept correct but I think your order of policy application is incorrect. Remember that last policy applied wins with conflicting settings so loopback allows us to reprocess the user settings of a policy linked to a computer object- last to get these settings to be the final settings applied. For the loopback Merge mode you have: When User logs on to the computer in the TS OU they will get Policies applied in the following order: 1st user policy processing with loopback merge mode and policies inherited to the OU with the user: 1. Local computer policy will be applied 1st 2. Domain Policy "A" will be applied 3. User Policy "D" Then the policies inherited and applied to the OU with the computer object: 4. Local computer policy (user config section) 5. Domain Policy "A" (user config section) 6. TS OU Policy "E" (user config section) So last applied policy settings will be the final setting if there are any conflicting settings-and these will come from the user configuration settings nodes within policies linked and inherited to the container that has the computer object within. Here is a reference article; http://support.microsoft.com/kb/260370 Thanks, Omar From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Alan & Margaret Sent: Wednesday, October 17, 2007 3:02 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: user config questions Hi Scott, I am not sure exactly what you mean, but I think the answer may lie in LoopBack processing. It sounds like you may have Loopback processing enabled as REPLACE on your TS OU. Of course the User modeling tool should still give the correct answer. In these sorts of cases, I always enable verbose logging then check out the UserEnv log to find out what is REALLY happening, rather than what is supposed to happen. To help, I have a free tool that makes more sense of the log. You can download it from http://www.sysprosoft.com/policyreporter.shtml You probably know all about Loopback processing, but if not it allows you to give the user different sets of policies depending which machine they log on to. If you set loop back processing on the Machine policy in the TS OU to REPLACE you can get two different sets of policies:- When User logs on to a LAB PC they will get Policies D, A When User logs on to a TS OU they will get Policies E, A If you set loop back processing on the Machine policy in the TS OU to MERGE you can get two different sets of policies:- When User logs on to a LAB PC they will get Policies D, A When User logs on to a TS OU they will get Policies D, A, E, A You could of course set Loopback processing on each of the specific LAB policies. If this was set to replace they would get C, B, A . If it was set to merge, they would get D, A, C, B, A (Note: I have shown the policies in the order that they will be applied. In the "merge" case, the domain policy actually gets applied twice) Hope this helps... Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Bean, Scott Sent: Thursday, 18 October 2007 4:21 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] user config questions First let me describe my current setup. --domain.local (A) |----Specific OU |----Labs(B) |----Specific Lab(C) |----Users(D) |----TS OU(E) At the domain.local level I have 3 Policies that affect the domain. At the specific OU level I have nothing. At the Labs level I have one policy. (I have many Specific Lab OUs but am keeping it simple - Each having its own policy due to desktop and start menu redirection) At the Specific Lab level I have one policy that contains user config settings. All Users that are in the Users OU that log onto a machine in the Specific Lab OU get the correct settings. Now at the TS OU I have 2 policies. One is Computer Config. The other is User Config. Basically I need to have multiple User Configs based on groups. The main reason for this is that we do desktop and start menu redirection. The TS OU is for a group of 2003 Terminal Servers. My user that is in the Users (listed above) is not getting the correct user config when logging into a Terminal Server. If I move the user to the TS OU the Group Policy Modeling tool shows that I should get the correct policies but when I log on it still does not have the correct settings. If the user is in the Users OU and I check the Group Policy Modeling tool then the user config policy doesn't show up under applied gpos. I guess my question is will I have to block inheritance on all the Specific Lab OUs then instead of having my user config policy on the TS OU move it to the Users OU? Or what exactly is the best way to do this? Sorry if this is somewhat confusing.