Using Group names in the security templates (inf files)

[Kevin]

Hi,

Does anyone know if it's possible to use Group Names in a security
template instead of the SID of the group? If I create a security
template using the MMC and allow a certain group access to a
particular folder when I open the inf file that's created the MMC has
converted the group name to the SID. as in the example below:
[File Security]
"%SystemRoot%\Windows\MyFolder",0,"DAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;0x1301bf;;;S-1-5-21-1606980848-813497703-725345543-1145)"

What I would like to use is:
"%SystemRoot%\Windows\MyFolder",0,"DAR(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;0x1301bf;;;MyGroup)"

The reason I want this is because I am creating the security templates
in a test environment, so if I create new groups in the live
environment the names won't change but the SID's will, which means my
templates won't work.
Have I got the syntax wrong or is it that secedit will only take inf
files that use the SID's? does the SID hold domain information aswell
as group information?

Any help would be appreciated.
Thanks,
Kevin

 

[Nick Finco [MSFT]]

That is currently not possible. SDDL only supports the use of SIDs and well
known account aliases in that field.

http://msdn.microsoft.com/library/d...ecurity/security_descriptor_string_format.asp

N