Thanks everyone for your help with this. It is working the way I want at this time, and I feel I have a much greater understaning of the loopback process and the effects of computer section vs. user section on terminal servers. I'm still using "merge" for my loopback at this time, but I will look into changing that to "replace". I'm not sure of all the implications for doing that on the network I recently inherited. Thanks again! Regards, Bill McDonald Systems Administrator II Ebara LogoEbara Technologies, Inc. 51 Main Avenue Sacramento, CA 95838 Direct: (916) 923-7865 Fax: (916) 920-5066 wmcdonald@xxxxxxxxxxxxx -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Thursday, March 13, 2008 6:44 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: access denied (security filtering) Hi Tan- Computers that are not part of the domain cannot participate in domain-based GP at all. However, I'm not clear on what you are saying below. It sounds like you are saying that users logging into your TS servers are doing so from machines not in the domain. That is ok as long as they have user accounts in the domain. In those cases, the loopback GPO (and any other per-user GPOs that apply to the TS boxes will apply to those user accounts as long as you are not filtering those users away via group membership (e.g. by default all users will get per-user loopback policy if you've left Authenticated Users as the ACE on the GPO). Darren -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of tan hs Sent: Thursday, March 13, 2008 6:39 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: access denied (security filtering) Hi All, I think I am having the same problem as Bill. I have my last post on this tread "Windows Server 2003 R2 SP2 GPO Access denied (security filtering)" if you can copy and paste the html at the bottom you should more clearer picture what Bill is facing. As Daren said, "....create a group that includes the TS computers,....", I think it will solve the problem because instead of putting all TS computers, I tried put in the TS name into the filtering, yes it works. But question is, not all TS users computers joined to the domain? I did tried without joining the computer to the domain and the computer won't appears in the selection list of the filter. How could we overcome this issue? Thank you. Tan *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************