Have you tried entering the well-known SID of the local Administrators group (S-1-5-32-544) into the Restricted Group Policy directly instead of the text name? This has worked for me in the past. If not, then WMI filtering of the OS language is probably your next best solution. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of DSalmon@xxxxxxxxxxxxxxxx Sent: Monday, September 25, 2006 1:30 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Group Policy Restricted Groups question Group Policy Restricted Groups question Our company is based out of the US, but has satellite offices around the world. We are running into a language barrier with Restricted Groups. We have a GPO that nests an AD Domain Local group into the local Administrators group of a remote machine via Restricted Groups. This policy works just fine for remote computers in offices worldwide that are running the English version of Windows, however the policy fails to apply to computers running foreign-language versions of Windows because it cannot find the local Administrators group. We have figured out the reason for this failure as in the French version of Windows there is no local "Administrators" group, there is a local "Administrateurs" group. Because Restricted Groups only matches groups by name (vs. SID) when the name doesn't match, that setting in group policy fails to apply. Hence the problem. We could add in another entry into the Restricted Group policy specifying "Administrateurs" but then the English "Administrators" would still fail and we would still notice GP application errors in the remote system's event log. Is there a way to make the Restricted Groups policy language agnostic? If not, is there a way to filter a GPO to apply to only the foreign-language versions of Windows? One solution would be to set up WMI filtering on the GPO that checks the language of the remote OS. Do you have any other ideas?