We are preparing to modify our DLU policy to remove users from the administrators group and move them to the users group. However, if a user was smart enough, he could have created a "back door" local Windows account with admin rights while he was still an admin. Is there a script that I could run that would remove all accounts except for the builtin and the user's local account which would match the NDS account name? The problem I see with deleting all accounts except for the builtin ones is that this would probably screw up the user's existing profile which wouldn't go over very well. I was thinking about Addusers.exe from the Windows Server Resource Kit but I'd need some way of dynamically identifying the user who is logged in to exclude that account from removal. Basically I'd need something that could delete a wildcard of accounts except for the user's and the builtins. I'm not so sure this would be a very easy thing to do, but it would seem to make sense to remove any possible scenario where a user could circumvent the removal of admin rights. Any ideas?