Tolli- Your question got me playing around with this, especially since the promise of using a "remove" keyword was pretty cool given that you cannot remove security settings today via GP. However, in my testing, and trying to import a file of this type into a GPO, it did not appear to work as expected. Specifically, I tried to remove a group (Local Service) that I had added using secedit, which understood the inf Add & Remove syntax just fine. However, when I import the same inf into a GPO, the "add" or "remove" keywords are simply not parsed correctly. Too bad. It would have been interesting to use that capability. The good news is that it does work when you apply those inf files from the secedit command line. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Lowell-Forker, Tolli Sent: Wednesday, August 15, 2007 1:03 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Will GPO Security Client Side Extension beable to process the same syntax that SECEDIT can process. I've noticed that some of the .inf files that are used during server/workstation builds and DC promotions have some very interesting syntax (found in %windir%\inf). I guess that this syntax is understood by SECEDIT. My question is whether the Group Policy CSE that reads the GPTTmpl.inf can also understand this syntax? Custom management of user rights using "ADD:" and "REMOVE:": [Privilege Rights] ;Add Whatever a DC should have by default. ;Remove Power Users from every right since it no longer exists but may have been added. ;Remove Whatever *Default* Server Rights don't belong on a DC ;If Server and DC Defaults are the same, then only power users is removed ;If You remove Everyone, Remove Authenticated Users as well. ; SeAssignPrimaryTokenPrivilege = Add:, *S-1-5-19, *S-1-5-20, Remove:, *S-1-5-32-547 SeAuditPrivilege = Add:, *S-1-5-19, *S-1-5-20, Remove:, *S-1-5-32-547 SeBackupPrivilege = Add:, *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-549, Remove:, *S-1-5-32-547 SeBatchLogonRight = Remove:, *S-1-5-32-547 Restricted Groups (use of variables in Group Names): ;---------------------------------------------------------------------- ; Restricted Groups ;---------------------------------------------------------------------- [Group Membership] ;Accounts Created During Server Role are Maintained so ignore groups. ;Operational Groups ;%SceInfBackupOp%__Memberof = ;%SceInfBackupOp%__Members = ;%SceInfGuests%__Memberof = ;%SceInfPrintOp%__Members = ;%SceInfReplicator%__Memberof = ;%SceInfReplicator%__Members = ;%SceInfServerOp%__Memberof = ;%SceInfServerOp%__Members = ======================================================= Tolli Lowell-Forker Sr. Technical Specialist Technology Infrastructure ~ Infrastructure Applications ~ Group Policy Engineering