2.2.10 Group Membership
This section defines settings that enable the administrator to control the membership of various groups. The ABNF syntax for the entries in this category MUST be as follows.
-
Header = "[" HeaderValue "]" LineBreak HeaderValue = "Group Membership" Settings = Setting / Setting Settings Setting = Key Wsp "=" Wsp ValueList LineBreak Key = GroupNameMembers / GroupNameMemberof GroupNameMembers = (GroupName / (%d42 SID)) "__Members" GroupNameMemberof = (GroupName / (%d42 SID)) "__Memberof" GroupName = GROUPNAMESTRING ValueList = Value / Value Wsp "," Wsp ValueList Value = %d42 SID / GROUPNAMESTRING GROUPNAMESTRING = 1*256(ALPHANUM / %d32-33 / %d35-41 / %d45 / %d64 / %d94-96 / %d123 / %d125 / %d126)
The SID element in the preceding syntax has its ABNF specification in [MS-DTYP] section 2.4.2.1.
Note that in the actual security policy, the preceding "GroupName" setting MUST be replaced by the actual name of a group whose members or membership in other groups MUST be configured. For more information, see the example in section 4.3.
The following table explains each of the settings listed.
|
Setting key |
Explanation |
|---|---|
|
GroupNameMembers |
A string representing a group name to which the string "__Members" has been appended. The specified group's membership is to be set to the valuelist. The string MUST be an alphanumeric string as defined in the ABNF specified here. |
|
GroupNameMemberof |
A string representing a group name to which the string "__Memberof" has been appended. The specified group is to be made a member of each group in the valuelist. The string MUST be an alphanumeric string as defined in the ABNF specified here. |
|
Value |
For GroupNameMembers, the SIDs or names of users and groups which the group MUST contain. For GroupNameMemberof, the SIDs or names of groups which the group MUST be a member of. Each Value MUST conform to the syntax of the SID as specified in [MS-DTYP] section 2.4.2.1 or to the GROUPNAMESTRING ABNF syntax specified here. |