http://blogs.technet.com/steve_lamb/archive/2005/06/24/406853.aspxThe Administrator Accounts Security Planning Guide has recently been posted to TechNet and hence is available for free download. It's a great place to start in reviewing how you manage privileged access. What ever type of user you are it's important toen-GBCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.technet.com/steve_lamb/archive/2005/06/24/406853.aspx#406858Fri, 24 Jun 2005 21:58:41 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:406858tonyI see alot of times in branch offices where local admins have been delegated some authority within ad and they have just two accounts. One being there non-priviledged acct and the other being an elevated acct. The elevated version being group enforced via gpo's into all the local workstation/servers administrators groups and have been delegated ad authority. I think this should be consider a bad practice they should have 3 accounts the first one being there normal account the second being an ad delegated account and the third should only be utilized by being group enforced by gpo's into the local administrators group and have no ad delegation assigned. Better yet is to not group enforce anybody into the administrators group and only allow the local administrator (renamed of course) to login interactively. just my .0000001 cents worth