Hey Alan, Thanks for the replay. What I mean is this: my dc is processing the default domain gpo INSTEAD of the gpo I assigned to admin users. It happens only when I log with the built-in domain account of "Administrator" but not with my account "XXXXX" which is part of the Domain admin group and a few other administrative groups. The built-in "Administrator" account is a member of all the various groups, all those groups and even the user itself is suppose to get the "Admin Gpo" since it is forced and filtered by users/groups. For some reason it doesn't happen, I guess my title was misleading since it was more "Stop the built-in admin account I use to access my dc from processing the default gpo" J Thank you, Asaf E | IT & Security | eToro W www.eToro.com etoro-logo If you have received this email message in error, please notify the sender immediately by telephone or return email and refrain from taking any action relating to the content of the email. Thereafter, please destroy the original message without making a copy. You may not use the content of the email without first obtaining prior written consent from the sender. You may not forward this email to anyone other than the sender for notification purposes. From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Alan & Margaret Sent: Sunday, September 07, 2008 14:53 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: How to stop Dc From processing the default gpo? Hi Asaf, Just clarifying your statement. you mean that when you log on to the DC as administrator, you receive all of the user components of the Default domain GPO, but when you log on as a non administrator, you do not receive the user components of the default domain GPO. I am a little confused by the title of your post. it suggests that your aim is to stop the DC from processing the GPO.. Normally a user logging on to the Domain Controller would expect the same policies to be applied as when they log on to a normal machine (unless loopback is enabled).. Have you checked event log to see if there are any messages? Do you get the same behavior logging on to other machines? If you are not getting anything on the event log, I would suggest enabling detailed logging and check out the UserEnv log. It will at least tell you in detail what is going on. See http://support.microsoft.com/kb/221833 The log is a bit cryptic, so if you like, post the UserEnv log and we can look at it for you Alan Cuthbertson Policy Management Software (Now with ADMX and Preference support):- http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml> &f=pol_summary.shtml ADM Template Editor(Now with ADMX support):- http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml> &f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml> &f=policyreporter.shtml _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Asaf Efrati Sent: Sunday, 7 September 2008 7:11 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] How to stop Dc From processing the default gpo? Hello, I have a problem with my Gpo processing, for some reason although I have a forced admin policy with the relevant admin accounts as the security filtering (schema, domain etc) For some reason my DC is processing the default domain Gpo when I log in as administrator but not when I log in with my user. I can't find any difference between the two. The default domain Gpo is set to Authenticated users. Any thoughts and help will be appreciated, I am afraid to change things because I already had a few problems when changing things globally J Thank you, Asaf E | IT & Security | eToro W www.eToro.com etoro-logo If you have received this email message in error, please notify the sender immediately by telephone or return email and refrain from taking any action relating to the content of the email. Thereafter, please destroy the original message without making a copy. You may not use the content of the email without first obtaining prior written consent from the sender. You may not forward this email to anyone other than the sender for notification purposes.