How can I restrict a user to a set of servers via the GPO? Thank you, Leto the Just

As I understand it, you create an OU and then you move all the resources and users into it. Then you can create GPOs and ACLs that relate to that container. If your question relates to performance, then you should configure your sites.

That is the best 'non-answer' I have ever heard. The location of users and resources in OUs is basically transparent to users. It is meant as the name implies, for organization. True, you can apply GPOs to OUs but the doesn't do anything to answer his question. I'm not sure what you mean about restricting users to a set of servers. Does that mean you just don't want them to be able to access resources on those servers? You don't want them to be able to log on to those servers or see them in the browswer? What exactly are you trying to restrict?

WE have outside contractors that need remote acces to our network from untrusted sites in order to maintain some servers. I need to make sure that they cannot access any other resource in our network via GPO. Thank you, Leto the Just

You have to authenticate those users with domain local accounts, since their domain is untrusted. That means setting up RRAS with remote access enabled accounts, either over a VPN or a direct DUN connection. Put those accounts into a global group and then into an OU so that you can modify their GPO settings. Im not sure if group policies are actually extended to rras clients. Create a local group and assign it to each server you want those users to access. Give that group the permissions you want them to have by selecting ACE permissions. Connect the users to those permissions by adding the global group you created for them, into the local group that you assigned to each server. For this to work, you should have previously reconfigured all your resource ACLs in your domain, so that everyone do not have access by default.

You should find out what everyone means under Windows 2000 so that you can be sure all your other resources are not being implicitly accessed. You also mentioned that these 'outside contractors' need to maintain some of your internal servers. If you move those servers into a global group and then into an OU, you can then delegate control of that OU and everything in it.

Thanks everyone =)