>Any group can have the necessary administrative privileges granted to it to perform user and group administration; typically, the Domain Admin group, and Domain Account Operators, have the necessary privileges to create and assign users and groups, but typically Account Operators cannot grant new access privileges to the accounts they administer - those rights reside with the domain administrators. Domain administrators do not automatically have local administrative rights - they may not be able to start and stop services on the local machine, create local users, and alter local system configuration items; I typically allow my domain admins local administrative rights to simplify the process of local administration, such as installing SPs, adjusting system times, and installing updated driversthat apply to the workstation's configuration, as opposed to the domain administration issues of access control, trusts and the like. The responsibility and assignment of duties changes when a...

Aha, here's Ed, glad your bumps have healed :) Ed, given my situation (NT4 Server only here), where I want a system admin to have the MINIMUM access level to do the following:

1) Use Server Manager (remotely, preferably) in local domain to check (and sometimes remove) connections with Server Manager.

2) Use User Manager (remotely, preferably) in local domain to Add/Modify/Remove users from local domain groups.

That's really it for this user, nothing else required or wanted - he's really a vfp system/DB admin that needs to maintain local domain groups. Server Operator covers #1, but not #2. I think I'm not supposed to assign Domain Admin level to the user, either, by security rules. Do you see any alternatives? It looks like from what you say, maybe I'm stuck with either my workaround or a Domain Admin choice, but thought I'd get your opinion.

In addition, it is requested that I not "cheat a little" <g> by altering Registry keys to tweak access, though I've seen MSDN docs that show this can be done. But we want to keep things fully standardized, unfortunately...

Also, if you know anywhere that has more detailed descriptions of the server access levels... NTServer Help and MSDN Help have not provided me with much info I find useful so far, I'm reduced to basic experimentation to see what works and what doesn't...