Hi. We're planning on using netgroups to control user access to the different servers within our organization, and the netgroups will be populated based on group memberships on the AD-side (we'll use WindowsSync to sync groups from AD to DS). The basic idea is this: - Sync AD-group entry "group1" over to DS-group entry "group1". This is done automatically with WindowsSync. - Populate netgroup entry "netgroup1" based on DS-group entry "group1". Alternately, add "netGroup" object class to DS-group entry. - Configure clients to use netgroup based authentication. A script will be created to manage netgroup membership dynamically, but creation of netgroups will probably be done manually. Anyway, we need to decide on whether to have a separate netgroup entry and populate netgroup attributes here, or if we should simply add netgroup attributes to the DS-group itself. I believe that both options will work just fine, but would like to hear from others who may have implemented a similar scheme. Maybe there are some pitfalls that we should be aware of. Regards, Kenneth Holter