[gptalk] Re: Restricted Groups and Local Accounts

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 5 Sep 2008 13:27:56 -0700


Yes, if you browse for the account when you define the policy, it is
resolving the account to its underlying SID and that is how it is stored in
the policy. You might try just typing the account name in to the Restricted
Groups policy and don't let it resolve the name. That may get around this. I
can't remember if it will still auto-resolve when it stores it. The
alternative is that you could go into the gpttmpl.inf file stored in SYSVOL
and replace the SID with the group name. It should then "resolve-on-the-fly"
when its processed by clients.





From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Sent: Friday, September 05, 2008 1:20 PM
To: undisclosed-recipients:
Subject: [gptalk] Restricted Groups and Local Accounts


Say I want to create a restricted groups policy that when applied to
specific machines will always ensure that a local user account with a
certain name will be added to the local administrators group.


Is there a way to do this?  When I create the policy and point the
restricted groups policy to my own machine to grab the name of the local
account, it works on my machine, but the policy will not add that local
account to any other machines.  Just to clarify, if the user account is
created with the same name as specified in the policy, the restricted groups
policy apparently does not recognize that local account and does not add it
to the local administrators group.


Is the policy actually using the local SID of the account and thus even
though all the local accounts are named the same, the policy doesn't believe
them to be the same and thus doesn't process it?  That's the only thing I
can think of for why this wouldn't work.






Best way to <http://abcnews.go.com/print?id=5351908>  annoy your co-workers?


Other related posts: