An ordinary user of a Windows 2000 Professional computer can use My Computer / Manage / Local Users and Groups / New User to add a local new user to their computer.

In a company environment, this is NOT desirable.

To prevent this ability:

1. Log on locally as a member of the Administrators group.

2. Open a CMD prompt and type:

        net localgroup users "NT AUTHORITY\INTERACTIVE" /DELETE

NOTE: You can create a batch that contains this command and use PsExec:

PsExec \\RemoteComputer -u DomainAdminAccount -p DomainAdminPassword \\ServerName\ShareName\BatchName.

NOTE: To do this on all the workstations in your Windows 2000 domain, use the following batch file:

@echo off
setlocal
For /f "Skip=1 Tokens=1" %%i in ('netdom query /domain WORKSTATION') do call :computer "%%i"
endlocal
goto :EOF
:computer
set machine=%1
set machine=%machine:"=%
if "%machine%" EQU "The" goto :EOF
if "%machine%" EQU "Directory" goto :EOF
PsExec \\%machine% -u DomainAdminAccount -p DomainAdminPassword \\ServerName\ShareName\BatchName