We have a domain where users have been locked down that they they can't do many functions on some terminal servers. They are not able to right click on the terminal server desktop and get to personalize it to adjust the screen saver lock timeout. The only way they can is for us to remove the SID from the GPO that locks them down - adjust the screen saver lock timeout - and put them back in. We are going to change our GPO to include a set lock timeout (say 10 minutes or the standard that Windows gives a new UID) which will overwrite any that have been previously changed to a longer time. We never tracked the users that wanted the timeout changed so I am trying to quantify that. It'd be nice to know what many and or which users will be affected by this so we can notify prior to enabling the modified GPO. Any ideas how to identify the users either by ADUC by domain or best way to accomplish this? Thanks!