User/Group name validation in Group Security Policy

1

Why does GPO editor doesn't check validity of given username/groupname in 'Add User or Group' dialog box. It doesn't check if valid name was given when you apply in actual policy dialog box (For example 'Deny access to this computer from network').

I restart the computer (DC), issued gpupdate /force also - but the bad username still there.

enter image description heren

Ajay

Posted 2014-10-10T10:29:28.920

Reputation: 702

Answers

1

The GPO editor doesn't validate usernames because there are scenarios where it wouldn't be able to validate perfectly valid account names.

Observe that any such validation would take place on the machine where you are editing the policy and then consider the following scenario:

  1. You configure the Computer/Preferences/Control Panel Settings/Local Users and Groups/Local Group policy to add members to the Administrators (built-in) group.
  2. The username you specify is a machine local user account that does not exist on the workstation where you're running Group Policy Editor, but does exist on the machines targeted by the policy.

In this case, a username validity check would fail, even though you specify valid account names. For this reason, the GP Editor cannot validate account names.

I say Reinstate Monica

Posted 2014-10-10T10:29:28.920

Reputation: 21 477

Asked: 2014-10-10T10:29:28.920

Viewed: 290 times

Active: 2014-10-15T21:44:27.520