I am running a mixed mode network and I currently have 2 W2k AD DC and 1 WINNT PDC. I am only running 4 limited Group Policies and none of these effect security. I notice that the Everyone group has the ability to Add/Remove themselves from the Domain Administrator account. I have explicitly denied this and within a short time (maybe through replication or policy refresh) it returns as Approved. This is a major security fault please help. I am not sure if there is a default setting I am unaware of. On another side note I experienced the "The Local Policy of the system does not permit you to logon interactively" I used the ntrights.exe and was able to get back in but have since had this happen again. Looking through my GPO I do not see anything that would make this happen. I listed this because I am hoping they are somehow related. Any help would be appreciated.