I am having problems getting GPO to be accepted on my TS users. Here is what I have done, and a glimpse of my system.
1. Windows 2000 DC, soon to be taken out of service
2. Windows Server 2003 DC, running AD, DHCP, WINS, DNS
3. Windows Server 2003 Terminal Server, member server
4. Windows Server 2003 Exchange Server, member server

I want to lock down TS Users so here is what I have done.
A. Created an OU called School Based Counselors
B. From AD, placed the Terminal Server computer in the above OU
C. Created a GPO called TS Loopback & linked it to School Based Counselors
D. enabled User Group Policy looback processing mode, mode= replace
E. Created another GPO called SBC
F. Enabled Prohibit access to the Control Panel
G. Created global group called School Counselors, filtered/ added it in the above OU
H. Added a test user to the global group School Counselors
I. On the Terminal Server, placed the global group (School Counselors) into the local Remote Desktop Users Group.
L. Logged on as the test user, however I am still able to access Control Pane.

Where did I go wrong in this scenario.

Thank you in advance

I can see only one thing in your list which doesn't seem right:

Quote:

G. Created global group called School Counselors, linked it to the above OU

You cannot "link" a security group to an OU. You can place the security group in the OU, but that does not do what you want.

What you have to do is to use the security filtering of the GPO to include the security group, and give them at least Read and Apply this Policy rights. If you remove the default "Authenticated Users" group from the security filtering of the GPO, you also have to add the Terminal Server's computer account in the security filtering (normally, the TS machine account is part of the Authenticated Users group).

You can use Resultant Set of Policies to see which GPOs are applied to your test user when logged on to your TS.