[gptalk] Re: Group Policy Restricted Groups question

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 25 Sep 2006 13:36:49 -0700

Have you tried entering the well-known SID of the local Administrators group
(S-1-5-32-544) into the Restricted Group Policy directly instead of the text
name? This has worked for me in the past. If not, then WMI filtering of the
OS language is probably your next best solution. 
 From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of DSalmon@xxxxxxxxxxxxxxxx
Sent: Monday, September 25, 2006 1:30 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Group Policy Restricted Groups question

Group Policy Restricted Groups question 
Our company is based out of the US, but has satellite offices around the
world.  We are running into a language barrier with Restricted Groups.  We
have a GPO that nests an AD Domain Local group into the local Administrators
group of a remote machine via Restricted Groups.  This policy works just
fine for remote computers in offices worldwide that are running the English
version of Windows, however the policy fails to apply to computers running
foreign-language versions of Windows because it cannot find the local
Administrators group.  We have figured out the reason for this failure as in
the French version of Windows there is no local "Administrators" group,
there is a local "Administrateurs" group.  Because Restricted Groups only
matches groups by name (vs. SID) when the name doesn't match, that setting
in group policy fails to apply.  Hence the problem.
We could add in another entry into the Restricted Group policy specifying
"Administrateurs" but then the English "Administrators" would still fail and
we would still notice GP application errors in the remote system's event
log.  Is there a way to make the Restricted Groups policy language agnostic?
If not, is there a way to filter a GPO to apply to only the foreign-language
versions of Windows?  One solution would be to set up WMI filtering on the
GPO that checks the language of the remote OS.  Do you have any other ideas?

Other related posts: