> I think SAM/AD will be mostly quicker I do not want to be a party pooper here, but have you checked how the AD approach will work from the unmanaged Windows service accounts?
We've been experiencing rather nasty effects of the M$ design that when a host changes its password (it is required to, every so many days), it is no longer considered an "authorized" agent (rather, anonymous). Accessing AD anonymously (esp. from system-managed service account) is limited; like when you request a list, you get only first 100 (who at M$ had invented this?!) entries. Which means that if your code is scanning, it won't find more than 100 users (and they are alphabetized, so the "excess" users will simply disappear from view). That creates false-positive nonexistent users / groups. The only remedy is to restart the host... P.S. I'm not an AD person, and some of the info from the above comes from our sysadmins (how they see things unfolding). Anton Lavrentiev Contractor NIH/NLM/NCBI