An ordinary user of a Windows 2000 Professional computer can use My Computer / Manage / Local Users and Groups / New User to add a local new user to their computer.
In a company environment, this is NOT desirable.
To prevent this ability:
1. Log on locally as a member of the Administrators group.
2. Open a CMD prompt and type:
net localgroup users "NT AUTHORITY\INTERACTIVE" /DELETE
NOTE: You can create a batch that contains this command and use PsExec:
PsExec \\RemoteComputer -u DomainAdminAccount -p DomainAdminPassword \\ServerName\ShareName\BatchName.
NOTE: To do this on all the workstations in your Windows 2000 domain, use the following batch file:
For /f "Skip=1 Tokens=1" %%i in ('netdom query /domain WORKSTATION') do call :computer "%%i"
if "%machine%" EQU "The" goto :EOF
if "%machine%" EQU "Directory" goto :EOF
PsExec \\%machine% -u DomainAdminAccount -p DomainAdminPassword \\ServerName\ShareName\BatchName