Adding users to the local adaministrator group is not really a solution, it is? Can't you turn on loopback processing and set the local policy access to "log on locally" for those same domain groups? That way the local policy will append last and it will not get over written by the GPO. Just a thought, Jennifer Henske Mercy Health System