How to define the built-in administrators group in a group-policy object?
Do I need to set the string "BUILTIN\Administrators" or just "Administrators"?
What about "LOCAL SERVICE" and "NETWORK SERVICE"?
Do I need to set "NT AUTHORITY\LOCAL SERVICE" or just "LOCAL SERVICE"?
You don't need the explicit BUILTIN
or NT AUTHORITY
at the beginning, as your domain should successfully infer it - there's only one group named Administrators
, only one account named LOCAL SERVICE
and only one account named NETWORK SERVICE
.
For future reference, when in doubt, keep two things in mind:
-
You can use the
Browse
->Check Names
GUI options to have the proper object filled in for you.- If you're building a script based on this, you can then look up the properties, including the SID, of the object that's been filled in.
- If you're building a script based on this, you can then look up the properties, including the SID, of the object that's been filled in.
- As with anything else, when in doubt, specify explicitly or prefer a more qualified/distinguished named over a less qualified/distinguished one.