Ben- Yes, if you browse for the account when you define the policy, it is resolving the account to its underlying SID and that is how it is stored in the policy. You might try just typing the account name in to the Restricted Groups policy and don't let it resolve the name. That may get around this. I can't remember if it will still auto-resolve when it stores it. The alternative is that you could go into the gpttmpl.inf file stored in SYSVOL and replace the SID with the group name. It should then "resolve-on-the-fly" when its processed by clients. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of WATSON, BEN Sent: Friday, September 05, 2008 1:20 PM To: undisclosed-recipients: Subject: [gptalk] Restricted Groups and Local Accounts Say I want to create a restricted groups policy that when applied to specific machines will always ensure that a local user account with a certain name will be added to the local administrators group. Is there a way to do this? When I create the policy and point the restricted groups policy to my own machine to grab the name of the local account, it works on my machine, but the policy will not add that local account to any other machines. Just to clarify, if the user account is created with the same name as specified in the policy, the restricted groups policy apparently does not recognize that local account and does not add it to the local administrators group. Is the policy actually using the local SID of the account and thus even though all the local accounts are named the same, the policy doesn't believe them to be the same and thus doesn't process it? That's the only thing I can think of for why this wouldn't work. Thanks, Ben _______________________________________ Best way to <http://abcnews.go.com/print?id=5351908> annoy your co-workers? E-mail.