Howdie! As for 1. you could use a Software Restriction Policy to deny access to AT.EXE. That'll not allow people to execute it. Keep in mind that you cannot prevent local admins from doing action xyz 100% since they're local admins. Every restriction you put in place, they may be able to revert back. For part 2. I'm not sure what you're trying to achieve. Are you trying to prevent the system to cache credentials at all or is it that the credentials are cached in the CMD window/application that is currently running with the admin's creds? Cheers, Florian *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************