Hi Chris, There are obviously some difference between NT 4 policies and AD-based group policies (GPO). The most obvious one, as you stated, is that policies apply to containers (OUs), not groups. You have to be in an OU to have a policy applied to you. This actually gives you less granularity than NT 4 in the sense that you can't use groups to apply policies, only to NOT apply policies. That is, I can set security filtering on the group policy applying to an OU so that certain security (global) groups don't have read/apply rights to the group policy. That will result in the GPO applying to everyone in the OU except the exclusions. However you have loopback processing mode, which when enabled on a GPO applied to a machine OU (terminal servers), will allow you to apply terminal server OU specific policies. In essence, when loopback processing is enabled for a GPO/OU, logging on to a machine in that OU mean you are entering the OU, and that OU's policies then apply to you. regards, Rick Ulrich Mack rmack@xxxxxxxxxxxxxx Volante Systems 18 Heussler Terrace, Milton 4064 Queensland Australia tel +61 7 32467704 -----Original Message----- From: Christopher_Wilson@xxxxxxxxxxxxxx [mailto:Christopher_Wilson@xxxxxxxxxxxxxx] Sent: Saturday, 16 August 2003 4:36 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Policies on Win2K Could use some advice/clarification on Windows 2000 TS policies as I round the learning curve from NT4. With NT 4 policies we had a TS specific user and computer policy that resided on each Terminal server or a file share. Policies could be applied to specific users and groups while on specific servers. Is this still the case with Active Directory? I see local security policies (which the best I can tell are all or nothing - no assignment by groups) and/or AD policies set per user or per computer. I have an OU for Terminal servers and an OU for Terminal server users. Then set machine policies on the Terminal Server OU and user policy on the users OU? Is that the right approach? If I do it that way is there anyway to stop Terminal server user policies from being applied to user's accounts with they are outside of the TS environment? Also, in active directory, common.adm (for hidedrives, etc.) is listed as an unsupported template. Is that normal? (that is, anything to worry about?) TIA, Christopher -------------------------------------------------------------------------------------------------------------------- The information contained in this e-mail is confidential and may be subject to legal professional privilege. It is intended solely for the addressee. If you receive this e-mail by mistake please promptly inform us by reply e-mail and then delete the e-mail and destroy any printed copy. You must not disclose or use in any way the information in the e-mail. There is no warranty that this email or any attachment or message is error or virus free. It may be a private communication, and if so, does not represent the views of Volante group Limited.