Is tan1 a user or a computer? Sounds like it's a user object in which case your policy will not apply as although you initially linked it to the Domain Controllers container, you changed the security to the group with the user in it. Either put in a DC name in the security group (if you only want policy to apply to that particular DC) or put back authenticated users. -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of tan hs Sent: Wednesday, 12 March 2008 7:25 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Windows Server 2003 R2 SP2 GPO Access denied (security filtering) Hi, I am new to GP on the above mentioned. I setup a new server which is the only server as domain controller. Then, I have created a global security group "grp_limited" and assiged a member 'tan1' to the group. The "grp_limited" is a member of "Remote Desktop Users". Everything went fine, and I am able to connect into the server using its own RDC. My first task is to try to disable all drive redirection from this server. I am running the GPMC and created a new policy under "Group Policy Objects" name "MRS L". I created a link in under the "Domain Controllers" and enabled the "MRS L". In the "MRS L" scope, under the "Security Filtering" panel a "Authenticated Users" group was automatically assigned to it. In the "MRS L" policy, I only have a setting. Computer Configuration->Admin Templates->Windows Components-> Terminal Services->Client/Server data redirection->Do no allow drive redirection "Enabled". Then, I run the wizard on tan1 in GP Result, all the policy were applied correctly. Later, I removed the "Authenticated Users" from the "MRS L" policy and replaced with "grp_limited" and do multiple times of "gpupdate /force" and reboot the server. I rerun the wizard earlier and recreate new wizard, this "MRS L" policy just stuck in the Denied GPOs in the result with reasons "Access Denied (security filtering)". I tried with some tool like GPExpert but I still can't figure out what goes wrong. I even tried to set the Delegation to the 'tan1' and 'grp_limtied' with Full Control permission also doesn't help. Can some experts help me on this? bare in mind, I do all these in the same machine. Thank you. *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************