How to define the built-in administrators group in a group-policy object?

group-policy

Do I need to set the string "BUILTIN\Administrators" or just "Administrators"?

What about "LOCAL SERVICE" and "NETWORK SERVICE"?

Do I need to set "NT AUTHORITY\LOCAL SERVICE" or just "LOCAL SERVICE"?

You don't need the explicit BUILTIN or NT AUTHORITY at the beginning, as your domain should successfully infer it - there's only one group named Administrators, only one account named LOCAL SERVICE and only one account named NETWORK SERVICE.

For future reference, when in doubt, keep two things in mind:

  1. You can use the Browse -> Check Names GUI options to have the proper object filled in for you.

    • If you're building a script based on this, you can then look up the properties, including the SID, of the object that's been filled in.

  2. As with anything else, when in doubt, specify explicitly or prefer a more qualified/distinguished named over a less qualified/distinguished one.

Related

How do I resolve OpenSSH protocol mismatch? [closed]
cloud-init does not grow the partition nor the filesystem
Can I add an extra route to my Amazon VPC?
Existing TCP Relay Solutions [closed]
W2K8R2 - A way to convert effecitve Group Policy settings to import on stand-alone machines for local policy?
How to determine domain controller used for authentication
EtcKeeper: Switching from bzr to git
VMware Vmotion 5.1 fails at 51% , Between two identical new vmware servers
Debian unattended-upgrades does not upgrade all packages
Dockerfile separation of concerns for a secure apache httpd server with respect to SSL certification files
How do I disable the metadata lookup at cirros boot?
HP Procurve 2920 VLANs with DHCP cannot ping