So, I guess what you're saying is the user knows the local administrator
password or has another account, eh? Delete the user's local account and
change the administator password to something he doesn't know.
You could use GPO's on OU that holds computer accounts and create a Security
policy defining Log on Locally right which should include only domain
accounts.
--
Regards
Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed) http://ladava.com
