All users able to see your OU structure - (as mentioned before GPMC.MSC is installed on all Vista clients by default) Not only does a user who is only in the "domain user" group have access to see the structure, I was able to do a backup of GPO's (the option was not grayed out) to my local hard drive. The backup included copies of all scripts used by the GPO. This means a user can easily find the Executive Users group OU that you may have configured for Company Board Members, download their Policies to review (and backup), and look at any scripts to see what resources they might have access to. I hesitate to think about young admin who might put a plain text password in a script. I don't work at a large enterprise, and I realize that because of that my knowledge of proper security procedure might be limited - do you guys in the larger enterprises go into the sysvol directory and apply security permissions to directories that contain GPO's for employees and restrict access to that directory so that only the employees who need access to that GPO have access? Example: By default everyone has read access to the Sysvol directory and its subfolders. So if you want to block access from a user who does not need access to the GPO at \\domaincontroller\SYSVOL\<my domain.com>\Policies\{DH3EA850-8HFA-4117-8HEA-3BH59C49A82B} do you modify the security tab to allow only those users that need access? Do you do this for every GPO - and then you would have to also modify the contents of the \\domaincontroller\SYSVOL\<my domain.com>\scripts directory to make sure users are only allowed read access to the scripts they use instead of the default permissions of being able to read everyone's scripts. What am I missing here? On separate notes- ntbackup no longer exists on Vista. The new utility "sdclt" does not appear to support command line parameters, and did not let me save a backup job to a local volume or local drive, it only gave me options to save on a writeable DVD or a network share. This is a bummer for me if Longhorn acts the same way. I used to do backups of 1) a web forum database and 2) online webstore database on a web server once an hour to a local directory on that webserver. The purpose was that if something should happen to corrupt the online sales database or forum, I could return it to the state it was the previous hour, instead of all the way back to the tape backup the night before. I'm sure it may be the same thing for all those people who backup Exchange with NTBackup (I use BackupExec personally) Also GenControl http://www.gensortium.com/products/gencontrol.html didn't work on Vista - it remotely installs VNC on a PC and gives you instant Desktop Control (when your user has proper permissions). Mark Mills