I've noticed that some of the .inf files that are used during server/workstation builds and DC promotions have some very interesting syntax (found in %windir%\inf). I guess that this syntax is understood by SECEDIT. My question is whether the Group Policy CSE that reads the GPTTmpl.inf can also understand this syntax? Custom management of user rights using "ADD:" and "REMOVE:": [Privilege Rights] ;Add Whatever a DC should have by default. ;Remove Power Users from every right since it no longer exists but may have been added. ;Remove Whatever *Default* Server Rights don't belong on a DC ;If Server and DC Defaults are the same, then only power users is removed ;If You remove Everyone, Remove Authenticated Users as well. ; SeAssignPrimaryTokenPrivilege = Add:, *S-1-5-19, *S-1-5-20, Remove:, *S-1-5-32-547 SeAuditPrivilege = Add:, *S-1-5-19, *S-1-5-20, Remove:, *S-1-5-32-547 SeBackupPrivilege = Add:, *S-1-5-32-544, *S-1-5-32-551, *S-1-5-32-549, Remove:, *S-1-5-32-547 SeBatchLogonRight = Remove:, *S-1-5-32-547 Restricted Groups (use of variables in Group Names): ;---------------------------------------------------------------------- ; Restricted Groups ;---------------------------------------------------------------------- [Group Membership] ;Accounts Created During Server Role are Maintained so ignore groups. ;Operational Groups ;%SceInfBackupOp%__Memberof = ;%SceInfBackupOp%__Members = ;%SceInfGuests%__Memberof = ;%SceInfPrintOp%__Members = ;%SceInfReplicator%__Memberof = ;%SceInfReplicator%__Members = ;%SceInfServerOp%__Memberof = ;%SceInfServerOp%__Members = ======================================================= Tolli Lowell-Forker Sr. Technical Specialist Technology Infrastructure ~ Infrastructure Applications ~ Group Policy Engineering