We have an XP Pro/ Server 2003 AD network. All of our users are given local admin rights to their computers. This is typically done using the 'User Accounts' applet in XP where we add the user's domain account and grant them Administrator rights. Recently I saw that an easier way to do this is to add the 'Domain Users' group to the local Administrators group through the local PCs 'Computer Management'. I also see this can be done by adding the "Interactive Users" group to the local Administrators group. I'm pretty sure that the way we used to do it is about the hardest possible way to do it. What I wonder now that I've found easier ways is what is the difference between Interactive Users and Domain Users?? Thanks for the help, MJ

"All of our users are given local admin rights to their computers" This is a very poor choice. "Best Practices", Event viewer, host file, perfmon, antivirus, anti-spyware, Live CD's, backups, are in my top 10

I second that. MAJOR security issue there. Why do you give Users Admin Privileges? EEOC

I'll happily explain why we do what we do to whomever can answer my question. Thanks

humph . . .

The Interactive identity Any user logged on to the local system has the Interactive identity. This identity is used to allow only local users to access a resource. http://technet.microsoft.com/en-us/... "Don't hit at all if you can help it; don't hit a man if you can possibly avoid it; but if you do hit him, put him to sleep." Theodore Roosevelt New York City, February 17, 1899

dippncope, thanks for your post. I've started a thread like this on another forum too and have found that for every person who is vehemently against granting local Admin rights to a domain user there is someone who can make a compelling arguement in favor of it. I personally like the ease of setting up every domain user as a local Admin. We run several programs that require the user to have local Admin priveleges so you can imagine it is easier to set the users up with admin priveleges then it is to try to workaround the programs' limitations. There are a number of problems solved and less dependency on IT when the users are set up as local Admins too. On top of that we have not had one issue that's resulted from someone with too many rights (Admin priveleges) on their local PC. That said, I think the odds are against us being so lucky for too much longer. I identified the workarounds I will need for 90% of our users and plan to downgrade all local user rights. Because of the change I won't need to adjust the local admin priveleges from the specific domain user to Interactive User or Domain User. But while we're on the subject I learned that the Interactive Users group includes local Guest logins . . . which could be a problem. I also learned that the Domain Users group is not a fitting choice in a multi-domain environment. The right choice for granting local Admin priveleges to everyone while maintaining some level of security is to use the Authenticated Users group. Gotta run. Thanks again. MJ