[gptalk] Re: Restricted Groups and Local Accounts

• From: "WATSON, BEN" <bwatson@xxxxxxxxxx>
• To: <gptalk@xxxxxxxxxxxxx>
• Date: Fri, 5 Sep 2008 13:34:01 -0700

It does allow me to simply type in a simple name and add that.  I'll see
if that works.  What I was really hoping for is it to allow me to enter
in %computername%\accountname, but it returned an error unfortunately.

 

That's an interesting workaround.  Let me give that a shot and I'll let
you know if it is successful.

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Friday, September 05, 2008 1:28 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Restricted Groups and Local Accounts

 

Ben-

Yes, if you browse for the account when you define the policy, it is
resolving the account to its underlying SID and that is how it is stored
in the policy. You might try just typing the account name in to the
Restricted Groups policy and don't let it resolve the name. That may get
around this. I can't remember if it will still auto-resolve when it
stores it. The alternative is that you could go into the gpttmpl.inf
file stored in SYSVOL and replace the SID with the group name. It should
then "resolve-on-the-fly" when its processed by clients.

 

Darren

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of WATSON, BEN
Sent: Friday, September 05, 2008 1:20 PM
To: undisclosed-recipients:
Subject: [gptalk] Restricted Groups and Local Accounts

 

Say I want to create a restricted groups policy that when applied to
specific machines will always ensure that a local user account with a
certain name will be added to the local administrators group.

 

Is there a way to do this?  When I create the policy and point the
restricted groups policy to my own machine to grab the name of the local
account, it works on my machine, but the policy will not add that local
account to any other machines.  Just to clarify, if the user account is
created with the same name as specified in the policy, the restricted
groups policy apparently does not recognize that local account and does
not add it to the local administrators group.

 

Is the policy actually using the local SID of the account and thus even
though all the local accounts are named the same, the policy doesn't
believe them to be the same and thus doesn't process it?  That's the
only thing I can think of for why this wouldn't work.

 

Thanks,

Ben

 

_______________________________________

Best way to annoy your co-workers?  E-mail.
<http://abcnews.go.com/print?id=5351908> 

 

• References:
  • [gptalk] Restricted Groups and Local Accounts
    • From: WATSON, BEN
  • [gptalk] Re: Restricted Groups and Local Accounts
    • From: Darren Mar-Elia

Other related posts:

• » [gptalk] Restricted Groups and Local Accounts
• » [gptalk] Re: Restricted Groups and Local Accounts
• » [gptalk] Re: Restricted Groups and Local Accounts

1. Home
2. gptalk
3. Archive
4. 09-2008

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---