A far better approach here, in my opinion, is to create three policies... 1) Terminal Server Policy - will only contain the "Machine" settings, including enabling Loopback processing, and left applied to Authenticated Users. Don't put user settings in this policy. 2) Terminal Server User Policy - will only contain "User" settings, and also left applied to Authenticated Users. Don't put machine settings in this policy. 3) Terminal Server Admin Policy - will only contain "User" settings, and simply "reverses" out some of the lockdowns applied by the "Terminal Server User Policy". The Authenticated Users group should be removed, and then add the required Admins group. Don't put machine settings in this policy. Set the priority order to apply as listed, and all will work as required. Cheers, Jeremy. From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Alan and Margaret Cuthbertson Sent: Saturday, January 24, 2009 5:28 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Lockdown Policy on Terminal Server Hi Bill, It should work the way you are suggesting, however I am guessing that you are using loop back processing and that this is being set in the same policy. If you remove Authenticated Users from the policy then the machine setting to enable loop back policy will also be removed. Your first suggestion of putting "deny" on the policy for ADMINS should work.... assuming you are talking about the policy that contains the actual user settings rather than the loopback enable setting. Hope this helps. Alan Cuthbertson Policy Management Software (Now with ADMX and Preference support):- http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml ADM Template Editor(Now with ADMX support):- http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml Policy Log Reporter - including Preference logging(Free) http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of McDonald, William Sent: Saturday, 24 January 2009 5:39 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Lockdown Policy on Terminal Server A TS policy only works for me if it is applied to the Authenticated Users group, but this applies the policy to all users, including administrators, even if I have admins set to deny applying policy. If I apply the group policy to another group, TS_App_Users, and remove Authenticated users or even just uncheck Apply Policy under Authenticated Users, then it won't get applied at all. How is this supposed to work? Regards, Bill McDonald Systems Administrator II Ebara Technologies, Inc. 51 Main Avenue Sacramento, CA 95838 Direct: (916) 561-4865 Fax: (916) 920-5066 wmcdonald@xxxxxxxxxxxxx *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ ##################################################################################### Confidentiality and Privilege Notice This document is intended solely for the named addressee. The information contained in the pages is confidential and contains legally privileged information. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone, and you should destroy this message and kindly notify the sender by reply email. Confidentiality and legal privilege are not waived or lost by reason of mistaken delivery to you. #####################################################################################