Hi all, Our Default Domain Policy adds Domain Admins to the "Allow log on through terminal services" on all machines in our domain. I created a new GPO to allow a specific single user account to log on to a specific virtualised XP box and applied at a sub-OU level containing the XP box object. Having been working remotely (using MSTSC) on the virtual XP box all day today absolutely fine, after I applied the policy it wouldn't let me on giving me the standard error "the local policy of this system does not permit you to logon interactively". I assume this is because the newer GPO is overriding the domain GPO due to it being more specifically applied? Going forward, I don't want to have to add all the users who are allowed to RDP into machines to every policy that specifies this permission just because in some instances I want to specify a particular user for a particular machine. Is it possible to merge policy settings? Is this where loopback processing would be applied? Thanks Andrew