Folks, Thanks to Chris Lynch I found my answer to this. It seems since I dont have AD, I will-not be able to take advantage of the restricted groups setting, because the restricted groups setting is not included in the local GPO of Win2k Workstation/Server. Which is pretty sad, but true. The only way you can do this is to setup a template with the restricted groups settings, and export a database of the current settings, and then import the template settings, via script against that database and apply to the local gpo. ( Dont secedit /refreshpolicy does nothing to help) ( Making a scheduled task of this would be the best bet.) But what really sucks is there is not a great way of making a standalone Windows 2K Bastion Host, IIS/DNS/ISA server not vulnerable from attacks such as pipeupadmin or getadmin, or LSA Dump, which is something you really gotta do, before you put a system in your DMZ, unless you want it compromized really quick. Ed -----Original Message----- From: Ziots, Edward [mailto:EZiots@xxxxxxxxxxxx] Sent: Thursday, February 13, 2003 4:41 PM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Security Templates issue with Local GPO on Win2k Standalone. To the list, I know this might be a little OT, but here is what I am trying to do, via Local GPO on a new External DNS Server I need to put out for my organization. 1) I have configured a security template which locks down the undeeded services, and ACL's them so that only Administrators can disable them if so desired. 2) The security template also, makes use the Restricted Groups Functionality, in which I have added all the local accounts in which will only be a member of the administrators group and no others. I validated the Security template and then ran the following command secedit /configure /db db.sdb /CFG template.inf /overwrite /areas GROUP_MGMT /log log.log /verbose. I looked at the log everything worked fine. I ran secedit /Refreshpolicy machine_policy /enforce and secedit /refreshpolicy user_policy /enforce. I then go ahead and add the TSINTERNETUSER via terminal services to the administrators group, which via local GPO being applied it should be removed. When I reboot, the account still exists in the local administrators group. DO any of the GPO guru's have some suggesstions? This is an External Win2k Standalone system with SP3, and all the needed hotfixes. Thanks in advance, Ed ********************************************************* This Week's Sponsor - RTO Software / TScale TScale increases terminal server capacity. Get 30-40% more users per server to save $$$ and time. Add users now! - not more servers. If you're using Citrix, you must learn about TScale! Free 30-day eval: http://www.rtosoft.com/Enter.asp?ID=79 ********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm ********************************************************* This Week's Sponsor - RTO Software / TScale TScale increases terminal server capacity. Get 30-40% more users per server to save $$$ and time. Add users now! - not more servers. If you?re using Citrix, you must learn about TScale! Free 30-day eval: http://www.rtosoft.com/Enter.asp?ID=79 ********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm