To address security and compliance issues many organizations need to do extensive auditing/monitoring of Windows-based systems. This includes workstations, servers (member and DC) and Active Directory. The only currently practicable way to guarantee all the necessary rights is with the Domain Admin group. Yes, it works, but this creates another security hole. I see a huge need for an "auditor" role that is effectivly a read-only domain admin. A user with these permissions would be able to access and view everything that a domain administrator could, but not be able to make changes. Windows 2008 R2 has an auditor role, but unfortunately all it does is give permissions to view and manage the audit logs. Drat! Has anyone found a way to implement such a role? Cheers, Jim