[gptalk] Restricted Groups - unexpected behaviour (multi-lingual environment)

  • From: "HENDRIKUS Terwint [SEDIRSI]" <terwint.hendrikus.prestataire@xxxxxxxxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 30 May 2008 11:42:53 +0200



Anyone seen this before ?


We are in a multi-lingual environment:

·         DC's/AD in French

·         Some member servers in English



è In Restricted Groups we added "Administrateur" (in French) as one of the 
members of the local administrators group

o    "Administrateur" shows as "Administrateur" in the GptTmpl.inf file (not 
it's SID but the name written in French)

è If this GPO is applied to the English version (member) servers, the local 
administrators group contains these members:

o    "Local server\Administrator"

o    "Domain\Administrateur"

o    Etc. (all other groups specified in the Restricted Groups policy)


How does this work? The CSE responsible for that, does it do this :

* query "Administrateur" - error

* cannot find it locally, finds it in the domain and adds 


If that is true, this would explain how "Domain\Administrateur" got into the 
local administrators group, but how did the "Local\Adminstrator" account get 
added? (as the GPO has been configured with /and the .inf file contains 
"administrateur", not "administrator")


Even though it's of course perfectly alright to have the "Local\Administrator" 
account in the Local Administrators group, I still would have liked to 
understand why this happened, and also whether there is a way to keep the 
"Domain\Administrateur" account out of it.


Thanks in advance for your help,



Other related posts: