How to define the built-in administrators group in a group-policy object?

Do I need to set the string "BUILTIN\Administrators" or just "Administrators"?

What about "LOCAL SERVICE" and "NETWORK SERVICE"?

Do I need to set "NT AUTHORITY\LOCAL SERVICE" or just "LOCAL SERVICE"?

You don't need the explicit BUILTIN or NT AUTHORITY at the beginning, as your domain should successfully infer it - there's only one group named Administrators, only one account named LOCAL SERVICE and only one account named NETWORK SERVICE.

For future reference, when in doubt, keep two things in mind:

  1. You can use the Browse -> Check Names GUI options to have the proper object filled in for you.

    • If you're building a script based on this, you can then look up the properties, including the SID, of the object that's been filled in.

  2. As with anything else, when in doubt, specify explicitly or prefer a more qualified/distinguished named over a less qualified/distinguished one.