We are currently using a DLU user policy at the container level to make all users administrators of their PCs. We will be needing to take this access away within the next few months, giving users limited user access. Assuming we simply leave everything as is and modify the policy to place the users in the users group, how would we go about granting specific users admin rights? From what I understand, DLU policies are not additive and I assume that if a user is associated to two different policies, lets say at the container level as a "user" and at the group level as an "admin", the lower rights are used. Is this correct? I was thinking that one solution would be to keep all the normal users in one group with the standard user policy associated while creating a seperate group for admins to be placed into. The drawback to this is we'd have to maintain the users group to ensure that people have the ability to login. Any better way to do this or am I stuck with creating two groups and maintaining them?