I've got a problem with computer policies, and I think it's down to permissions - any help from AD Gurus would be appreciated.

It's a slightly complex scenario.

My users may log in either via a standard desktop, or via Citrix (Terminal Server). When they log into the Citrix environment and run published application their rights have to be restricted. To achieve this, the servers in the Citrix OU have GPO "loopback" processing enabled, which causes the USER policies in the computer OU to be applied.

To ensure that administrative accounts did not get the restrictions, I applied security settings so that domain administrators did not get the policy applied.

So far so good. Unfortunately some local admin account *did* get the restrictions, and this caused a problem.

I disabled the policy for local admin accounts and this appeared to be fine.

The problem that I have now is that I'm no longer getting computer policies applied. I'm assuming that these are applied by a local admin account or an account in the local administrators group, but I'm not sure and Googling/MSDNing hasn't turned anything up yet.

Does anyone know what account applies the computer policies? Is it the computer account? If so is the account in a local admin group?

The quick fix that I am going to try is to split the policy into seperate computer and user policies, but I'd really like to know the cause as I've been trying to keep the number of policies which need to be applied to an absolute minumum.