I read up on improving the two GPOs due to RIM (Blackberry) requesting that I establish the BES account as a service and allow log on locally for the BES account too. They mention not to have the BES account as a Domain Admin but I digress. Anyway, I was about to place at the "Default Domain Policy" as the guy was encouraging me to do so then I thought wtf I'm doing. So I have a time out of sorts to research where do I place the GPO and who should it apply to. Also, what accounts should be included. Anyway, I just opened pandora's so all this is a bit too overwhelming and I would appreciate some baby steps in resolving this issue of what exactly goes into the "log on as a service" and "log on locally" and where should it be applied? I guess I'm worried of breaking something if the accounts are applied and the servers require some other account. Attached are some pics as I am very much a visual person.