If an ordinary user opens Control Panel / Users and Passwords, they are prompted:

<b>        You must be a member of the Administrators group on the computer to open the Users and Passwords control
        panel. You are logged in as Machine_name\User_name, which is not a member of the Administrators group.

        Specify the user name and password of an Administrator on this computer to continue:
        User name:
        Password:

        You can change your password without opening the Users and Passwords control panel by pressing
        CRTL-ALT-DEL and selecting Change Password.</b>
If an ordinary user opens Control Panel / Administrative Tools / Computer Management / Local Users and Groups, they can add a new, ordinary, user, and change the password on users that they create. They can NOT add a user to the Administrators group and can NOT change other users passwords.

As unbelievable as this seems, it is the default behavior of Windows 2000 Professional.

Thankfully, this does NOT work on the Windows 2000 Server products.

An Administrator can, and should, alter this behavior:

1. Control Panel / Administrative Tools / Computer Management / Local Users and Groups.

2. Click Groups to expand it.

3. Double-click Users.

4. Select NT AUTHORTY\INTERACTIVE.

5. Press Remove.

6. Press OK.

You can also do this at a CMD prompt, in batch, and you can schedule it, using:

net localgroup users "NT AUTHORITY\INTERACTIVE" /delete