I want my agents to challenge all users except my Local Administrator on each box. I know that I can challenge all users except the Administrator Group but our group policy has Domain.com/Domain Administrators in each Local Administrators group. Because of this, I can still log on with my Domain Admin account without being challenged. However, at our other site, it works as desired. Group policy matches at both sites. Both sites use active directory for user acct's and groups. What am I missing? Why does Site 1 challenge all users except Local Admin and Site 2 challenges all users except Local and Domain Admins?