[gptalk] Re: Restricted Groups - unexpected behaviour (multi-lingual environment)

  • From: "HENDRIKUS Terwint [SEDIRSI]" <terwint.hendrikus.prestataire@xxxxxxxxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 2 Jun 2008 09:44:16 +0200

Thank you, Darren


De : gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] De la 
part de Darren Mar-Elia
Envoyé : vendredi 30 mai 2008 16:57
À : gptalk@xxxxxxxxxxxxx
Objet : [gptalk] Re: Restricted Groups - unexpected behaviour (multi-lingual 



I believe you are correct about Restricted Groups making a best effort match 
when a SID is not stored in the INF file and that is probably how it found the 
Domain Administrateur account. As for the local Administrator account, it is in 
Administrators by default and is not affected at all by Restricted Groups 
policy. That is, you can not forcefully or accidentally remove Administrator 
from the local Administrators group using Restricted Groups policy, by design.





From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Sent: Friday, May 30, 2008 2:43 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Restricted Groups - unexpected behaviour (multi-lingual 




Anyone seen this before ?


We are in a multi-lingual environment:

·         DC's/AD in French

·         Some member servers in English



è In Restricted Groups we added "Administrateur" (in French) as one of the 
members of the local administrators group

o    "Administrateur" shows as "Administrateur" in the GptTmpl.inf file (not 
it's SID but the name written in French)

è If this GPO is applied to the English version (member) servers, the local 
administrators group contains these members:

o    "Local server\Administrator"

o    "Domain\Administrateur"

o    Etc. (all other groups specified in the Restricted Groups policy)


How does this work? The CSE responsible for that, does it do this :

* query "Administrateur" - error

* cannot find it locally, finds it in the domain and adds 


If that is true, this would explain how "Domain\Administrateur" got into the 
local administrators group, but how did the "Local\Adminstrator" account get 
added? (as the GPO has been configured with /and the .inf file contains 
"administrateur", not "administrator")


Even though it's of course perfectly alright to have the "Local\Administrator" 
account in the Local Administrators group, I still would have liked to 
understand why this happened, and also whether there is a way to keep the 
"Domain\Administrateur" account out of it.


Thanks in advance for your help,



Other related posts: