Hi, If I understand you correctly, what is happening is that the Local Admins are being locked out, even though neither policy is being applied... I am not sure what Darren means by "because the new domain knows nothing about them (and thus doesn't know to remove them)". I thought the only information about old policies was held in the NTUSER.POL file, so provided that moved across, old policies (or at least the non tattooed parts of it) would be removed. The problem could be that the Default User directory was built by copying over the NTUser.dat from a user that had the policy applied, but the NTUSER.pol was not copied. This means that the registry has the non tattooed entries, but Group Policy doesn't know how to remove them. Also, wouldn't it be easier to just have one policy, and put ADMINS in the DENY list? Alan Cuthbertson -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Wednesday, 19 November 2008 9:45 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Group Policy sticks after domain migration In addition, in general when you move machines between domains, policies get stuck from the old domain because the new domain knows nothing about them (and thus doesn't know to remove them). So, I do recommend that before you move machines between domains, you move them to a "staging" OU that has no GPOs applied to it. Let the machines process the lack of policy and then move into a new domain. Also, you can use my freeware Clean Registry Policy (www.sdmsoftware.com/freeware) which is designed to clean up registry policy from computers moved from domains. Darren -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Jake (sanfranjake) Sent: Tuesday, November 18, 2008 2:23 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Group Policy sticks after domain migration Your big mistake is using Authenticated Users. At thee verty least with this strategy I'd use a separate security group so you have at least a way to filter admins out. As admins are authenticated users, you will keep running into this type of issues, therefore I'd recommend a separate TSAPP-security group which filters this policy. -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Kaiser, Charlie Sent: Tuesday, November 18, 2008 10:41 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Group Policy sticks after domain migration Hi all... Scenario: W2K3 native mode AD domain (domain1) W2K Terminal server locked down with GPO (computer configuration, administrative templates, Start Menu and taskbar (among many others)) that applies to auth users. Second GPO that disables all those lockdowns that applies only to domain admins and enterprise admins. Works fine. Users get nothing except the app, domain admins get everything. Problem: Domain migration project. Move all member servers to W2K3 native mode AD domain (domain2). Now GPOs from domain 1 are still applied. Server admins cannot get into the box. Login and get locked down desktop. Domain admins in domain2 can get in fine, but now local admins group needs access. Gpresult doesn't show the settings being applied. No apparent way to remove. Any ideas? I'm thinking move the box back to domain1, remove GPO and force, verify access, and then move back to domain2... Any other ideas? Thanks! ********************** Charlie Kaiser W2K3 MCSA/MCSE/Security Systems Engineer 925 274 3183 desk 925 890 3517 cell ********************** ********************** Charlie Kaiser W2K3 MCSA/MCSE/Security Systems Engineer 925 274 3183 desk 925 890 3517 cell ********************** *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************