Group Policy - Defining Security Policies Using Variables?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Problem:
When setting up a new GPO, is there a method for using variables such as
%computername%\LocalServiceAccount when defining security permissions such as
“Deny log on locallyâ€

Background:
I'm monitoring hundreds of local server accounts with common names and
adminstrative access. These accounts run services and applications but do
not need console access. I need to find an effective method for setting the
permission "Deny Logon Locally."
 
Unextended GP does not have ability to use a meta-like level
in the policy settings. Some things however, if set in GPO at
the OU level can be used to name accounts that only exist at the
local machine level if you do this with care and the account
or group to be named is a well-known, predefined in Windows.
Otherwise, look at use of a startup script defined in GPO that,
in your case, invokes such as NTrights tool from the reskit.
Also, there are third-party products that extend the GP mechanics
so they can accommodate meta-info that is expanded on the target
client in client specific fashion.
 
Back
Top