Hi Anath, If I understand you correctly, the critical thing is the APPLY permission. If you give READ and APPLY permission to Authenticated users and DENY APPLY to Domain Admins, everyone except Domain Admins will get it. If you give READ and APPLY permission to Domain Admin, only Domain Admins will get it. Alan Cuthbertson Policy Management Software (Now with ADMX and Preference support):- http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml> &f=pol_summary.shtml ADM Template Editor(Now with ADMX support):- http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml> &f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir <http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml> &f=policyreporter.shtml _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Ananth Rajagopal Sent: Thursday, 23 October 2008 3:46 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Disable script for administrator account Hi all, We have a script to change the usbstor registry key value to 4 and another script to deny permissions to users from running usbstor.inf and usbstor.pnf files. In scope we have set "authenticated users" If we set deny permissions to the authenticated group and full control for Domain Administrator group. Will the script be applicable for administrator login as well? How can I stop the script from running for an Administrator account. Kindly advice. regards Ananth.