From what you explained in your first post it sounds like you are trying to deny computer policy from being applied based on a group of user accounts. If that is the case, it won't work. When group policy processes computer configuration settings, it doesn't care what user is logged on. It is running under the NT AUTHORITY\SYSTEM principal which is the equivalent of the computer's object in AD (COMPUTERNAME$). So, you would need to deny a security group containing the computer objects, not users. If you're trying to get certain user policies to apply based on the computer they're logging into, you need to look into enabling loopback processing mode. This is common for lab, kiosk, and terminal server scenarios, and since you mentioned a "lab" OU, it might be what you're after. Jamie Nelson | Operations Consultant | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.200.8088 | http://www.dvn.com <http://www.dvn.com/> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Bean, Scott Sent: Friday, October 17, 2008 1:00 PM To: 'gptalk@xxxxxxxxxxxxx' Subject: [gptalk] Re: permissions and gpos After looking at this for a bit, here is what I have come up with. Here is my setup. At the root of the domain I have a policy. Under the OU of Test I have a policy. Under the OU Lab (which is an OU inside of Test) I have a policy. Domain policy has computer and user settings Test OU policy has computer and user settings Lab OU policy only has user settings If I don't put Authenicated Users as "apply group policy" allow on the Test OU (even though I have a group that my test user is in with the same settings) then that policy doesn't get applied nor does the policy on the Lab OU. If I run the Results wizard on this machine with my test user, without authenticated users then I get the following: Under the computer config summary \ Group Policy Objects \ Applied GPOs I get the default Domain Policy (but this policy has authenticated users "apply group policy") Under the computer config summary \ Group Policy Objects \ Denied GPOs Name Link Location Reason Denied Local Group Policy Local Empty {E12678B5-A484-4084-B0B2-9868F6ECDF9B} Root domain/Test/ Inaccessible {BD2C1ECB-FEF4-4AB3-B4B3-6D2D9673D858} Root domain/Test/Lab Inaccessible And under the User config these 2 policies don't even show up. Now if on the test OU I add authenticated users and "apply group policy" set to allow here is what happens: Under the computer config summary \ Group Policy Objects \ Applied GPOs I get the default Domain Policy (which has the authenticated users "apply group policy" set to allow) I also get the Test OU Policy (which now has the authenticated users "apply group policy" set to allow) Under the User config I now get all 3. Despite the fact that on the Lab OU Policy all I do not have authenticated users set but I do have the group my user is in set to allow "apply group policy" Also if I take a user that has deny on the Test OU policy it applies the computer config but only denies the user config, should it not deny the whole policy? From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Friday, October 17, 2008 11:12 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: permissions and gpos Scott- This should work if I understand your scenario. How have you granted the deny ACE? What are you denying? Have you looked at the Effective Permissions tab in the ACL editor to see if it thinks that your computer in question has the correct rights? Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Bean, Scott Sent: Friday, October 17, 2008 7:57 AM To: 'gptalk@xxxxxxxxxxxxx' Subject: [gptalk] permissions and gpos I have been upgrading my policies to the new vista format. I have a seemingly simple question about permissions. How do I stop the computer configuration from being applied to certain groups. I have to put authenticated users as apply for the computer configuration to take place. But if I have a nested group and set that as deny it still gets the computer configuration, which has caused a huge problem and headache this Friday morning. Basically I have a policy that I want one nested group to get but not another. Thanks in advance, Scott Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.