You could probably do it for regular users by removing the authenticated users group from the account security properties or giving a specific group deny permissions to read for the account. If you want to try it, set up a test account to try it on. You want the user to still be able to change his password and the proper group to manage the account. Be sure to document changes and you can use dsacls to restore default permissions. --- Steve
