Strange. I would open up the local security policy on one of the affected workstations and check the local Allow Logon through terminal services and the Deny Logon through Terminal service settings to see which groups and/or users are listed in the policy. Is the user in question or the group in question a member of the domain or local machine Guest group? What if you try to add the user specifically to remote desktop users instead of the group and see if that works- also you can try removing the user from the Remote desktop users and adding him to only the local administrators group and see if that works- just for testing of course. Is the machine Windows XP, Vista, Server 2003? Omar From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Francis Revere Sent: Monday, July 30, 2007 11:41 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Group Policy/AD delegation issueq Thanks for the information Omar. I disabled the policy and force an update on the server. I added group1 to the Remote Desktop Users group on the server. Still, when I attempt to login as one of the users in the group, I receive the message that the "to login to the computer, you must be granted the Allow to log on through Terminal Services right." Something is not right here. I have group1 setup exactly as Domain Admins. Full control on the computer object in AD, group1 added to the Remote users on the remote tab in server properties. Any ideas??? ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Omar Droubi Sent: Monday, July 30, 2007 12:42 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Group Policy/AD delegation issueq Did you check on the machine the policy applied to that the remote desktop checkbox was indeed checked and grayed out to verify that the policy was indeed applied? Next I would verify that the either the firewall on the machine in questions is either disabled or allows the remote desktop protocol- even many new Antivirus products have firewalls built in and can restrict this function. So I would 1st verify that it works without the GPO then uncheck the checkbox- apply the GPO and try again. Omar From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Francis Revere Sent: Monday, July 30, 2007 8:16 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Group Policy/AD delegation issueq What I am attempting to do: Create an AD group that has Full control of a specific server in an OU and can remote into this server only within the OU (for software installation). What I have done and tried: I have a group in AD called group1 with 2 members. This group has been added to the security tab of a server, called server1 with Full control. I created a GPO called test and defined the "Allow Login through Terminal Services" and to group1. Within the scope, I applied the policy to the OU with server1 in it, and added the server1 to the security filter. This did not work for some reason. I even went as far as logging into server1 and adding group1 to the remote users group to no avail. What am I missing???? I know that it is probably something really simple.