Group policy problem

G

George Spiro

To my surprise I just discovered this....

I have been playing with GPO for close to 5 years now. I consider myself a
expert and took something for granted to find out that i was wrong.

You see I live in the wonderful province of Quebec where we have Bilingual
users. So I have FRENCH workstations and ENGLISH workstations. I am not
using MUI. So I created a bunch of group policies everything looked fine
except for 1 thing. In group policies the restritive groups:

PowerUsers and Administrators werent updating the french workstations. The
only thing I could imagine is that STUPID Microsoft did not make those
policies mention:

POWERUSER GROUP = Usager avec pouvoir
ADMINISTRATOR GROUP = ADMINISTRATEUR

I am wondering how did you guys correct this problem in a Multilanguage
environment.

G.
 
M

Mark Heitbrink [MVP]

Hi,

George said:
POWERUSER GROUP = Usager avec pouvoir
ADMINISTRATOR GROUP = ADMINISTRATEUR
Click to expand...

Same in German ... :-(
The problem is, that if you manage the security policies from an
XP workstation and you do not "browse" the accounts and verify
them in the AD, the workstion will write down the STRING Values
auf a security group and not the SID.

Take a look into the GptTmpl.inf ... :-(

Only solution: Edit GPOs on the Server with a terminal session,
the server will (nearly) always wirte the SID, or choose the
accoutn by browsing.

THe answer form MS to this problem:
Yes, there is a problem ...

Mark
 
J

Joe Richards [MVP]

I have never not seen it insert a SID when you browse for the members, even from XP.

The reason why it has to support both SIDs and names is because it is possible
the accounts may be accounts local to the members which wouldn't have the same
SIDs on every machine.

joe
 
G

George Spiro

Back from a long vacation,

Is it possible to create a Group Policy with the french accounts? In a
english DC.

Thanks in advance,

G.
 
M

Mark Heitbrink [MVP]

Hi,

George said:
Is it possible to create a Group Policy with the french accounts?
In a english DC.
Click to expand...

Forget about the "names". Just verify, that the SIDs are used.
Otherwise, there is no problem, if the STRING entries are not
efecting any system, that doesn´t support this language.

Mark
 
M

Mark Heitbrink [MVP]

F´UP2: microsoft.public.windows.group_policy

George said:
How would I do that to associate SID with the account name?
Click to expand...

It worked for me to edit the GPO security settings only on the
DC via RDP session or to browse for the names and let them check
if you work from a XP Workstation.

At least you can manually edit and check the GptTmpl.inf of each
policy and work with search and replace. After that you should
open the GPO again in a GUI and change something unessesary and
revert it. Then the file will be written again/actualized but
keeps your settigns and after that be replicated.

Mark
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Group Policy problem 1
group policy problem!!! 5
Server-based group policy without active directory? 6
Group Policy not applying 2
Replaced default "Domain Group Policy" - potential problem? 8
Local group policy filtering problem 4
What's the best consise windows group policy manual to read? 2
Local Group Policy is assigning only to user with admin rights !!??? 1

Top