[gptalk] Re: Group Policy Restricted Groups question

  • From: "Omar Droubi" <omar@xxxxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 25 Sep 2006 14:38:16 -0700

WMI filter- you can use this as a start:
 
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/
win32_operatingsystem.asp
 
Look at the osLanguage section to determine what value you need to trigger
off of. For example- if the query returns "1033" you have an English version
and if it returns "1036" have the French.
 
What I am not sure about is if the query returns any language that is
available to the user or if it returns what you need- the default UI
language.
 
here is a sample vbscript that returns the info - now you can take this as a
start to build your WMI query.
 
'****StartCode****
Set WMI = GetObject("WinMgmts://")
Set w1 = WMI.InstancesOf("WIN32_OPERATINGSYSTEM")
For each w2 in w1
msgbox w2.oslanguage
Next
'****EndCode****
 
Later,
 
Omar

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Omar Droubi
Sent: Monday, September 25, 2006 2:10 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Group Policy Restricted Groups question


Interesting issue. I encountered something similar but not using restricted
groups.
 
If you can figure out how to determine the language version please share the
info.
 
I took a few minutes to search for how to do it and I found a link but my
coding skills are limited to vbscript editing and I can do nothing with this
info- but maybe you can..
 
http://www.microsoft.com/globaldev/handson/dev/newapis.mspx
 
Good luck,
 
Omar

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Monday, September 25, 2006 1:37 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Group Policy Restricted Groups question


Have you tried entering the well-known SID of the local Administrators group
(S-1-5-32-544) into the Restricted Group Policy directly instead of the text
name? This has worked for me in the past. If not, then WMI filtering of the
OS language is probably your next best solution. 
 
Darren
 
 
 From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of DSalmon@xxxxxxxxxxxxxxxx
Sent: Monday, September 25, 2006 1:30 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Group Policy Restricted Groups question


Group Policy Restricted Groups question 
 
Our company is based out of the US, but has satellite offices around the
world.  We are running into a language barrier with Restricted Groups.  We
have a GPO that nests an AD Domain Local group into the local Administrators
group of a remote machine via Restricted Groups.  This policy works just
fine for remote computers in offices worldwide that are running the English
version of Windows, however the policy fails to apply to computers running
foreign-language versions of Windows because it cannot find the local
Administrators group.  We have figured out the reason for this failure as in
the French version of Windows there is no local "Administrators" group,
there is a local "Administrateurs" group.  Because Restricted Groups only
matches groups by name (vs. SID) when the name doesn't match, that setting
in group policy fails to apply.  Hence the problem.
 
We could add in another entry into the Restricted Group policy specifying
"Administrateurs" but then the English "Administrators" would still fail and
we would still notice GP application errors in the remote system's event
log.  Is there a way to make the Restricted Groups policy language agnostic?
 
If not, is there a way to filter a GPO to apply to only the foreign-language
versions of Windows?  One solution would be to set up WMI filtering on the
GPO that checks the language of the remote OS.  Do you have any other ideas?
 

Other related posts: