Of course. Create a new group and add the selected servers to the new group. Create a new group policy and link it to the parent OU of the servers. Open GPMC and under the "Delegation" tab of the group policy, remove "Authenticated Users", add the new group you created and give that group "Read" and "Apply Group Policy" permissions. Please let me know if you succeeded. Regards, Liran.

Hi, We have offices in different location, so we have created OU's in our AD based on locations. We have different team of administrators who can logon to all the windows 2003 & 2008 servers across the locations using RDP. Currently we want to restrict few users to logon to few servers from different locations. Easier way that I can think of is create a separate OU and add all those Servers where I want to restrict login via RDP and put an group policy of "Deny logon locally" and "Deny logon using terminal services". But I dont want to do this to create a separate OU to achive this. and I can't take a pain to add servers list for each users under "Log On To" option either. Is there a way where I can restrict users from logon to certain servers without creating new OU. If I can add those servers in one Group like "Restrict Srv" and create a group of users whome I want to restrict "Restrict Usr" and then can I specify some policy or setting that these users cant login to these 'Restrict Srv" servers. Thanks, Thanks, Vijesh Rajan

Of course. Create a new group and add the selected servers to the new group. Create a new group policy and link it to the parent OU of the servers. Open GPMC and under the "Delegation" tab of the group policy, remove "Authenticated Users", add the new group you created and give that group "Read" and "Apply Group Policy" permissions. Please let me know if you succeeded. Regards, Liran.

The pain caused by adding servers into the allowed list of computer can be avoided by scripting. Use Poweshell or VBS. Using separate OU may cause ambiguous results, namely with DCs. Alternative procedure may be based on audit access. If you tell selected group of administrators, that they should not connect remotely, you have an immediate information via eventtrigger and light mail server, that the rule has been violated. Regards Milos

Use Security filtering feature, you can apply GPO to objects without puting them in one OU. http://technet.microsoft.com/en-us/library/cc728301(WS.10).aspx