Rob,=20 My standard on this kind of setup is to apply all restrictive TS based policies to the Citrix OU w/ loopback enabled of course on "replace" mode.=20 With "replace mode" it dosen't matter what other OU's are out there for your laptop users, they only get citrix specific restrictive policies when they log onto the citrix servers.=20 On the Citrix OU itself, I'll generally have a policy break down like this: Citrix Server policy - machine only policy (user policies disabled) applied to a security group containing only the Citrix servers. Security templates, machine level restrictions or settings applied here. Restricted user policy - User only policy (machine policies disabled) applied to a security group containing only users logging into the system that require restrictions, or specialized desktops / start menus.=20 Admin user policy - User only policy (machine policies disabled) applied to either domain admins or an IT admin group. Generally used for login script support, and in some cases re-directed start menu's / desktops for admin folks.=20 Not to say that this is the only way to do this, but I've had no issues with this type of setup at many sites. In general I look to keep all Citrix related restrictions and controls isolated to the OU where the servers are. I don't see much reason to mix TS based policies w/ desktops, as generally the TS policies I've created (and more specificly the GP launched login scripts) are geared much more twoards controlling the end users environment within their terminal session. HTH J -----Original Message----- From: Rob Ellis [mailto:rob.ellis@xxxxxxxxxxxxxxx]=20 Sent: Friday, June 06, 2003 9:07 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Group policy We currently have 2 metaframe XP servers, they sit in their own OU, with no specific policy applied. We give our users a full desktop, which they access through Nfuse & CSG. The user accounts sit in a 'Normal Users' OU, to which a GPO has been applied to lock down various settings so that they don't break the Citrix servers, etc. In addition, we have a load of laptops in their own OU, which has a GPO applied. We have used loopback processing so that both the machine and the user parts of this policy apply, overriding the 'Normal Users' OU policy. This is because laptop users also log into Citrix. We are about ready to install a 3rd metaframe box, and I'm thinking about reworking the GPOs. How do people out there do GPOs in an environment like this? Regards, Rob Ellis=20 Network Manager=20 Profectus IT=20 Tel 023 9224 7979=20 Mob 07974 111867 ******************************************************** This Week's Sponsor - Appsense Technologies New! AppSense Optimizer is a new product from AppSense=20 designed to increase the user capacity of your servers.=20 http://www.appsense.com/ ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm For Archives, to Unsubscribe, Subscribe or=20 set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm ******************************************************** This Week's Sponsor - Appsense Technologies New! AppSense Optimizer is a new product from AppSense designed to increase the user capacity of your servers. http://www.appsense.com/ ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm