Scott- This should work if I understand your scenario. How have you granted the deny ACE? What are you denying? Have you looked at the Effective Permissions tab in the ACL editor to see if it thinks that your computer in question has the correct rights? Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Bean, Scott Sent: Friday, October 17, 2008 7:57 AM To: 'gptalk@xxxxxxxxxxxxx' Subject: [gptalk] permissions and gpos I have been upgrading my policies to the new vista format. I have a seemingly simple question about permissions. How do I stop the computer configuration from being applied to certain groups. I have to put authenticated users as apply for the computer configuration to take place. But if I have a nested group and set that as deny it still gets the computer configuration, which has caused a huge problem and headache this Friday morning. Basically I have a policy that I want one nested group to get but not another. Thanks in advance, Scott