[gptalk] Re: Restricted Groups - unexpected behaviour (multi-lingual environment)

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 30 May 2008 07:56:45 -0700


I believe you are correct about Restricted Groups making a best effort match
when a SID is not stored in the INF file and that is probably how it found
the Domain Administrateur account. As for the local Administrator account,
it is in Administrators by default and is not affected at all by Restricted
Groups policy. That is, you can not forcefully or accidentally remove
Administrator from the local Administrators group using Restricted Groups
policy, by design.





From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Sent: Friday, May 30, 2008 2:43 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Restricted Groups - unexpected behaviour (multi-lingual




Anyone seen this before ?


We are in a multi-lingual environment:

·         DC?s/AD in French

·         Some member servers in English



è In Restricted Groups we added ?Administrateur? (in French) as one of the
members of the local administrators group

o    ?Administrateur? shows as ?Administrateur? in the GptTmpl.inf file (not
it?s SID but the name written in French)

è If this GPO is applied to the English version (member) servers, the local
administrators group contains these members:

o    ?Local server\Administrator?

o    ?Domain\Administrateur?

o    Etc. (all other groups specified in the Restricted Groups policy)


How does this work? The CSE responsible for that, does it do this :

* query ?Administrateur? - error

* cannot find it locally, finds it in the domain and adds


If that is true, this would explain how ?Domain\Administrateur? got into the
local administrators group, but how did the ?Local\Adminstrator? account get
added? (as the GPO has been configured with /and the .inf file contains
?administrateur?, not ?administrator?)


Even though it?s of course perfectly alright to have the
?Local\Administrator? account in the Local Administrators group, I still
would have liked to understand why this happened, and also whether there is
a way to keep the ?Domain\Administrateur? account out of it.


Thanks in advance for your help,



Other related posts: