[gptalk] Group Policy Restricted Groups question
- From: <DSalmon@xxxxxxxxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Mon, 25 Sep 2006 15:29:59 -0500
Group Policy Restricted Groups question
Our company is based out of the US, but has satellite offices around the
world. We are running into a language barrier with Restricted Groups.
We have a GPO that nests an AD Domain Local group into the local
Administrators group of a remote machine via Restricted Groups. This
policy works just fine for remote computers in offices worldwide that
are running the English version of Windows, however the policy fails to
apply to computers running foreign-language versions of Windows because
it cannot find the local Administrators group. We have figured out the
reason for this failure as in the French version of Windows there is no
local "Administrators" group, there is a local "Administrateurs" group.
Because Restricted Groups only matches groups by name (vs. SID) when the
name doesn't match, that setting in group policy fails to apply. Hence
the problem.
We could add in another entry into the Restricted Group policy
specifying "Administrateurs" but then the English "Administrators" would
still fail and we would still notice GP application errors in the remote
system's event log. Is there a way to make the Restricted Groups policy
language agnostic?
If not, is there a way to filter a GPO to apply to only the
foreign-language versions of Windows? One solution would be to set up
WMI filtering on the GPO that checks the language of the remote OS. Do
you have any other ideas?
Other related posts:
