Jason- The other possibility is that the computer has not picked up its new group membership. In fact, only a reboot will refresh the workstation's token with the new group information. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Williams Sent: Monday, January 28, 2008 4:28 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Group Policy and WMI question Appreciate the help. I started to work on this today. I did as you followed and created a special group that and dropped that specific workstation into that group. Under that GPO Security tab, I added that group and selected to DENY for "Apply Group Policy". However, doing a gpresult still shows that the policy is being applied. I thought as well, that when you deny a policy, that is it. The only other thing I can think of is that I do have a WMI filter on that is set to only apply this particular policy to Windows XP machines, and the machine I am trying to deny it to, is XP. That might be conflicting as I think about it. I appreciate the help. Jason On Jan 15, 2008 9:54 AM, Jakob H. Heidelberg <jakob@xxxxxxxxxxxxxxx> wrote: The simple way is to use Security filtering. Create a group called something like "No_Firewall_Policy_Machines", add the workstation to that group and then on the GPO Security tab (delegation in GPMC) you can Deny "Apply Group Policy" for that group. You could turn around that method - so the policy would apply only to a particular group with all of your domain computers except that particular machine (in this case remember to remove the Authenticated Users group). But in your case Deny-method might be easier. /Jakob From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Williams Sent: 15. januar 2008 18:40 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Group Policy and WMI question I have a group policy for Windows XP Firewall that is set to all of our desktop computers. I also put in a WMI filter that says to only apply this policy to Windows XP machines and not Vista machines (was causing issues when we did this.) Anyway, I have been given a request to see if it is possible to have one specific computer that is running XP, excluded from this particular group policy. Is this something I can do? Perhaps done through WMI or another method? I just started to look into this, so I am open to any suggestions. I appreciate it. Jason