[gptalk] Re: Will GPO Security Client Side Extension beable to process the same syntax that SECEDIT can process.

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 15 Aug 2007 14:35:01 -0700


Your question got me playing around with this, especially since the promise
of using a "remove" keyword was pretty cool given that you cannot remove
security settings today via GP. However, in my testing, and trying to import
a file of this type into a GPO, it did not appear to work as expected.
Specifically, I tried to remove a group (Local Service) that I had added
using secedit, which understood the inf Add & Remove syntax just fine.
However, when I import the same inf into a GPO, the "add" or "remove"
keywords are simply not parsed correctly. Too bad. It would have been
interesting to use that capability. The good news is that it does work when
you apply those inf files from the secedit command line.




From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Lowell-Forker, Tolli
Sent: Wednesday, August 15, 2007 1:03 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Will GPO Security Client Side Extension beable to process
the same syntax that SECEDIT can process.


I've noticed that some of the .inf files that are used during
server/workstation builds and DC promotions have some very interesting
syntax (found in %windir%\inf).  I guess that this syntax is understood by
SECEDIT.  My question is whether the Group Policy CSE that reads the
GPTTmpl.inf can also understand this syntax?

Custom management of user rights using "ADD:" and "REMOVE:":

[Privilege Rights]

;Add Whatever a DC should have by default.

;Remove Power Users from every right since it no longer exists but may have
been added.

;Remove Whatever *Default* Server Rights don't belong on a DC

;If Server and DC Defaults are the same, then only power users is removed

;If You remove Everyone, Remove Authenticated Users as well.


SeAssignPrimaryTokenPrivilege = Add:, *S-1-5-19, *S-1-5-20, Remove:,

SeAuditPrivilege = Add:, *S-1-5-19, *S-1-5-20, Remove:, *S-1-5-32-547

SeBackupPrivilege = Add:, *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-549,
Remove:, *S-1-5-32-547

SeBatchLogonRight = Remove:, *S-1-5-32-547

Restricted Groups (use of variables in Group Names):


;   Restricted Groups


[Group Membership]

;Accounts Created During Server Role are Maintained so ignore groups.

;Operational Groups

;%SceInfBackupOp%__Memberof =

;%SceInfBackupOp%__Members =

;%SceInfGuests%__Memberof =

;%SceInfPrintOp%__Members =

;%SceInfReplicator%__Memberof =

;%SceInfReplicator%__Members =

;%SceInfServerOp%__Memberof =

;%SceInfServerOp%__Members =

Tolli Lowell-Forker

Sr. Technical Specialist
Technology Infrastructure ~ Infrastructure Applications ~ Group Policy

Other related posts: