Andrew, is the simple .Net application available to share? I have always found the option file is easier to handle with "EXCLUDING" instead of including. We have about 350 users that are allowed to access the license pool (users change) and it is easier to block those that used to be allowed, and are not blocked, then to add/manage the 350 that are allowed. Because they now have to be within the domain/network, that stops non-Department/Domain users from gaining access, but I too would like to find an easier why to do it thru AD, beyond trying Christian's suggestion of blocking server access. If the options file would understand AD groups, that may work, but I think it still wants login names (correct me if I am wrong).