Tried to keep the title short, but it seems confusing. Anyway, this is what I was wondering or wanted. I wanted to create a tech user and group that would have admin rights on client pc’s but have a limited user account on servers. Is this possible, there is only one domain and 2003/xp machines? The reason being, incase the tech account gets comprised the user wont have admin rights to the servers. I want the account to be able to join pc’s to the domain also. Should I allow this account to have rights for gpo’s and user and computer ou’s? Thanks in advance for comments.