The sad thing about all of this is, I noticed the activity after I had reimaged a lab so anything that my "arch-enemy" was doing was wiped out. Of course, without the image I might not have noticed in the first place...double edged sword. It has taught me that I need to be WAY more vigilant though. One other question I have though, if the domain admin account had a profile on a machine, can the password somehow be decrypted out if that profile? I thought I read something about that in the past few days while I have been trying to figure out, just how much I don't know...which apparently is quite a bit.