Configure a Local User Item

Applies To: Windows Server 2008

Local User preference items allow you to centrally create, delete, and rename local users. Also, you can use this preference item to change local user passwords. Before you create a local user preference item, you should review the behavior of each type of action possible with the extension.

Creating a Local User item

To create a new Local User preference item

1. Open the Group Policy Management Console. Right-click the Group Policy Object (GPO) that should contain the new preference item, and then click Edit.

2. In the console tree under Computer Configuration or User Configuration, expand the Preferences folder, and then expand the Control Panel Settings folder.

3. Right-click the Local Users and Groups node, point to New, and select Local User.

4. In the New Local User dialog box, select an Action for Group Policy to perform. (For more information, see "Actions" in this topic.)

5. Enter local user settings for Group Policy to configure or remove. (For more information, see "Local user settings" in this topic.)

6. Click the Common tab and configure any options desired. (For more information, see Configure Common Options.)

7. Click OK. The new preference item appears in the results pane.

Actions

This type of preference item provides a choice of four actions: Create, Replace, Update, and Delete. The behavior of the preference item varies with the action selected and whether a user with the same name (or, for built-in accounts, security identifier [SID]) exists.

Update

Rename a user or modify user settings. This action differs from Replace in that it updates the settings defined within the preference item. All other settings remain as they were previously configured. If the local user does not exist, then the Update action creates a new local user.

Local User settings

User must change password at next logon

Use this setting if you want to force the newly created or updated local user to change their password at their next logon.

Account is disabled

Use this setting if you want to disable the newly created or updated local user.

Account never expires

Use this setting if you do not want the newly created or updated local user account to expire. Deselect the setting to force the newly created or updated local user account to expire. Then, choose an expiration date from the Account expires list.

Additional considerations

• The Local User item action Replace deletes the existing local user and creates a new local user, which includes a new security identifier

• The Local User item action Update modifies the settings of a local user, but does not change the security identifier of the local user.

• You can use item-level targeting to change the scope of preference items.

• Preference items are available only in domain-based GPOs.

Additional references

• Local Users and Groups Extension

• For additional information on configuring settings in Windows, see the Windows Server 2008 TechCenter (https://go.microsoft.com/fwlink/?LinkId=91710).