The membership of groups should be carefully evaluated. A group that is granted permissions to sensitive files might contain users that should not have that access. Open each group listed in the User Manager and inspect its members. Are any of the accounts in a group inactive? If so, consider removing the accounts. Carefully evaluate the members of management groups such as Administrators, Server Operators, Account Operators, Backup Operators, and Print Operators. Remove all unnecessary accounts. Make sure that all administrative users have two accounts: one for administrative tasks and one for regular use. Administrators should only use their administrative accounts when absolutely necessary. Evaluate each global group membership and the resources that the group has access to. Does the group have access in other domains? What folders and files do groups have permission to access? This can be difficult to evaluate. Use a program like Somarsoft DumpACL to help you with this task. Do local groups hold global groups from other domains? Check the membership of these global groups and make sure that no users have unnecessary access to resources in the current domain.