Re: What does "No One" mean in a GPO Default setting?

I think what we have here is a problem with two different concepts.

"Privileges" are essentially features of the operating system that allow for
things to be done. Individual users (or groups) can be granted specific
Privileges or not. In some case, by default, no user account or group is
assigned a specific Privilege - that's what "Default Setting: No one" means
in the related documentation - the list of users with this privilege is
empty.

"Group Policies" are ways to configure settings, including Privileges,
centrally. By default, all (well, at least most) setting in Group Policies
are "Not Defined" or "Not Configured". This means that in this particular
Group Policy Object, there is no value specified for this particular
setting; there may be another GPO or a Local Policy on the computer that
DOES grant this privilege, but you can't tell that from the Group Policy
Editor - the Resultant Set of Polices tool (or gpresult) will tell you if
this setting has been made from any source.

When you "Define" (or "Configure") a setting in a GPO, that means you want
to set some value for some setting, which may be a Privilege or might be
something else that is not actually a Privilege (e.g. visibility of the
Shutdown button is not a Privilege in the defined sense of that word with
respect to Windows).

If the setting you are making via GPO is a Privilege, you would "Define" the
corresponding setting in the Group Policy Editor (e.g. add a check mark to
the "Define these policy settings" check box), then supply a list of user
accounts or groups that you want to have that Privilege. There is no user
account or group with the name "No one", so it doesn't make any sense to
supply such list item in such a GPO setting.

You may find that the "Add workstation to a domain" right has been
configured in the Default Domain Policy.
-----------------------------------------------

Now, with respect to the "Add workstation to a domain" privilege, I see a
possible confusion. When I follow the link you provided, I get "Windows XP
Professional Product Documentation" in the left pane and the "Privileges"
page in the right pane. There does not appear to be any way to get to this
page via the Table of Contents in the left pane, so I can't tell what the
context of this page really is or how you got there.

However, if you click on "User Rights Assignment" at the bottom of the page,
then click Add workstations to domain", you get to a page that says

"This policy is valid only on domain controllers. By default, any
authenticated user has this right and can create up to 10 computer accounts
in the domain."
and
"Default: Authenticated Users.".

>From my experience, this particular information is correct. By default, any
authenticated user can join up to 10 computers to a domain without having to
have any specific (not default) privileges, rights or permissions. This is
a domain feature, not a workstation feature.

I don't know why these two documentation pages say different things. The
only thing I can think of is that Add workstation to domain is meaningless
on a Windows XP computer since it can not be a Domain Controller.

--
Bruce Sanderson MVP

It's perfectly useless to know the right answer to the wrong question.


"Bill Bradley" <wdbradley3@xxxxxxxxxxx> wrote in message
news:%23JmIFzvcFHA.3032@xxxxxxxxxxxxxxxxxxxxxxx
> We recently implemented some User and Workstation GPO's that used settings
> from Microsoft to limit certain things to certain Groups. Our tech who
> did this followed the guidance (we thought), but, after we put them onto
> our test network, we started seeing issues with the defined Groups and
> Users not being resolvable. After checking we found some errors (such as
> "Administrators" misspelled as Adminstrators), but, we also got a lot of
> errors about "No One".
>
> In checking, it seems that in many of the MS lists of security settings
> for GPO's, while they usually use "Not Configured" as the Default, at
> times they use "No One" as the default, and...our tech just put in that
> term, and, since it's neither a Group or User, it came up unresolvable.
>
> So...after spending hours online trying to find out what this means, and,
> what I should use...I'm mystified!
>
> What is meant when they use "No One", rather than "Not Configured" as the
> default, and, what should I put in on those items?
>
> Here's an example (URL is:
> http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_seconceptsunprivs.mspx)
>
> Allows the user to add a computer to a specific domain. For the privilege
> to be effective, it must be assigned to the user as part of the Default
> Domain Controllers Policy for the domain. A user who has this privilege
> can add up to 10 workstations to the domain.
>
> Users can also be allowed to join a computer to a domain by giving them
> Create Computer Objects permission for an organizational unit or for the
> Computers container in Active Directory. Users who have the Create
> Computer Objects permission can add an unlimited number of computers to
> the domain, regardless of whether they have been assigned the Add
> workstations to a domain privilege.
>
> Default setting: No one
>
> Thanks.
>
>


.