Hi Daren, Thanks for you reply. Yes, clients are logging in without participating in the domain. Yes, the can logging as a remote user as long as they are the member of Remote Desktop User group. Yes, the default policy is "Authenticated Users" which means all users successfully login. If I dont want this policy to apply to all "Authenticated Users" but to a new group of users, let says, "grp_limited" group which is a member of "Remote Desktop Users" and "grp_limited" have a member "user1". By removing the "Authenticated Users" from the policy and adding the new group "grp_limited", when 'user1' login using Remote Desktop Connection, this policy will be Deined Access (security filtering). In short, I would like this user 'user1' in 'grp_limited' group to get this policy applied regardless of computers they are logging from. Please bare with me, becoz I am a beginner on GP. Bye Tan *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************