I’m not sure if this has been covered before, just finally figured out how to get on this list after 2 years of working here. :) Just thought I would share what I have come up with here at the Com Arts Building with regards to making the local users administrators of their own computers but not administrators of the network. This can be done in a few ways. First and probably the most common why is to just add the domain user to the local Power Users group or the Administrators group on the local computer. This will work fine but requires a visit or a remote connect to the local computer. If you already have a large network this method takes too long. Second, you can make all workstations in an OU have local administrator access regardless of the user. Create an OU for the computers e.g.: Unrestricted Computers. Move the computers you want to change into the OU. For the Unrestricted Computers OU do the following. This must be done from the server. 1. Right click the Unrestricted Computers OU and select properties. 2. Go to the Group Policy Tab 3. Select or create a group policy and click Edit. 4. Go to Computer Configuration\ Windows Settings\ Security Settings\ Restricted groups 5. While restricted groups is highlighted select action from the MMS toolbar and select "Add group" 6. Click the "Browse" button 7. Select the following group "Administrators" and click "OK"; this is the built-in administrators for the domain controller, not the domain/tree administrator. 8. Click "OK" Again 9. Double-click "Administrators" 10. In the "members of this group" and click the "ADD" button. 11. Select the browse button and select "Domain Users" and "users" and "system" and "administrators" and "domain administrators" click "OK" click "OK" Click OK. If you don’t have some of the groups or can’t find them that is ok. 12. Now, from the command line type "secedit /refreshpolicy machine_policy" The "Domain Users" that log onto the select machines will be local administrators. There is one more way to make it dependant on the computer and the user. Basically it is the same but you also maintain a group with a list of users and then only the users in the list that log into the unrestricted computers will have admin access. Replace this group with the domain users group when making the policy. Hope this helps someone. If you have more questions email me and I will help fill the gaps. Nicholas Zeidler Network Administrator Communication Arts & Sciences E: [log in to unmask] P: (517) 353-7253