I have a client that has a Windows 2003 Terminal Server. They have both local users accounts and domain users accounts. They want to lock down the server to only run their accounting package for their local accounts but not prohibit any functionality to their domain users account. There aren't a whole lot of lockdown features on the local policies, so I am a little stumped. I was toying with the idea of creating a GPO and denying the policy to domain users. Not sure if that will work or not. Need some advice.