An ordinary user of a Windows 2000 Professional computer can use My Computer / Manage / Local Users and Groups / New User to add a local new user to their computer.

In a company environment, this is NOT desirable.

To prevent this ability:

1. Log on locally as a member of the Administrators group.

2. Open a CMD prompt and type:

        net localgroup users "NT AUTHORITY\INTERACTIVE" /DELETE

NOTE: You can create a batch that contains this command and use PsExec:

PsExec \\RemoteComputer -u DomainAdminAccount -p DomainAdminPassword \\ServerName\ShareName\BatchName.

NOTE: To do this on all the workstations in your Windows 2000 domain, use the following batch file:

@echo off                              setlocal                              For /f "Skip=1 Tokens=1" %%i in ('netdom query /domain WORKSTATION') do call :computer "%%i"                               endlocal                              goto :EOF                              :computer                              set machine=%1                              set machine=%machine:"=%                              if "%machine%" EQU "The" goto :EOF                              if "%machine%" EQU "Directory" goto :EOF                              PsExec \\%machine% -u DomainAdminAccount -p DomainAdminPassword \\ServerName\ShareName\BatchName