Local User preference items allow you to centrally create, delete, and rename local users. Also, you can use this preference item to change local user passwords. Before you create a local user preference item, you should review the behavior of each type of action possible with the extension.

Creating a Local User item

To create a new Local User preference item
  1. Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.

  2. In the console tree under Computer Configuration or User Configuration, expand the Preferences folder, and then expand the Control Panel Settings folder.

  3. Right-click the Local Users and Groups node, point to New, and select Local User.

  4. In the New Local User dialog box, select an Action for Group Policy to perform. (For more information, see "Actions" in this topic.)

  5. Enter local user settings for Group Policy to configure or remove. (For more information, see "Local user settings" in this topic.)

  6. Click the Common tab, configure any options, and then type your comments in the Description box. (For more information, see Configure Common Options.)

  7. Click OK. The new preference item appears in the details pane.

Actions

This type of preference item provides a choice of four actions: Create, Replace, Update, and Delete. The behavior of the preference item varies with the action selected and whether a user with the same name (or, for built-in accounts, security identifier [SID]) exists.

Create

Create a new local user on the local computer. If the local user exists, then do not modify it.

Delete

Remove a local user with the matching name from the local computer. The extension performs no action if the local user does not exist.

Replace

Delete and recreate a local user with the matching name for the local computer. The net result of the Replace action overwrites all existing settings associated with the local user. If the local user does not exist, then the Replace action creates a new local user.

Important

Windows assigns each user a SID. Windows uses this information to determine if a user is allowed to access a particular resource. Use caution when using the Replace action as the newly created user has a new SID. This may prevent users from having access to resources.

Update

Rename a user or modify user settings. This action differs from Replace in that it updates the settings defined within the preference item. All other settings remain as they were previously configured. If the local user does not exist, then the Update action creates a new local user.

Important

The Update action does not change the SID of the user.

Local User settings

User Name

Type the name of the targeted local user. The preference extension creates a new user with this name if the user does not exist. If the user exists, the preference extension uses the user with this name as the target of the requested action.

Rename to:

Type the new name of the local user. This option is only available when using the Update action. The preference extension renames the user with the name that matches in the User Name box to the name provided in the Rename to box.

Full name

Text used to display the full name of the local user. Press F3 to display a list of variables from which you can select.

Description

Text used to describe the purpose or use of the local user. Press F3 to display a list of variables from which you can select.

Password

Type the password used when creating, replacing, or updating a local user. Type the same password in the Confirm Password box

Security Note

This password is stored as part of the GPO in SYSVOL and is discoverable, although obscured. If you choose to store passwords in preference items, you should consider creating dedicated accounts for this purpose, and never store administrative passwords in preference items.

User must change password at next logon

Use this setting if you want to force the newly created or updated local user to change their password at their next logon.

Account is disabled

Use this setting if you want to disable the newly created or updated local user.

Account never expires

Use this setting if you do not want the newly created or updated local user account to expire. Deselect the setting to force the newly created or updated local user account to expire. Then, choose an expiration date from the Account expires list.

Additional considerations

  • The Local User item action Replace deletes the existing local user and creates a new local user, which includes a new security identifier

  • The Local User item action Update modifies the settings of a local user, but does not change the security identifier of the local user.

  • You can use item-level targeting to change the scope of preference items.

  • Preference items are available only in domain-based GPOs.

Additional references


Table Of Contents