I have 2 Windows 2000 Servers, and a whole slew of Win2k workstations. Currently, all users are members of their pc's Administrators group, but not the Domain Admins group. We tried to tighten security down and started by removing users from the local admins group. When I did, all of my GPOs defined in AD Users and Groups stopped working, including scripts and restrictions (screensaver forced to lock, etc). If I add users back to the local admins, things work great.