Group policy problem

[George Spiro]

To my surprise I just discovered this....

I have been playing with GPO for close to 5 years now. I consider myself a
expert and took something for granted to find out that i was wrong.

You see I live in the wonderful province of Quebec where we have Bilingual
users. So I have FRENCH workstations and ENGLISH workstations. I am not
using MUI. So I created a bunch of group policies everything looked fine
except for 1 thing. In group policies the restritive groups:

PowerUsers and Administrators werent updating the french workstations. The
only thing I could imagine is that STUPID Microsoft did not make those
policies mention:

POWERUSER GROUP = Usager avec pouvoir
ADMINISTRATOR GROUP = ADMINISTRATEUR

I am wondering how did you guys correct this problem in a Multilanguage
environment.

G.

 

[Mark Heitbrink [MVP]]

Hi,

POWERUSER GROUP = Usager avec pouvoir
ADMINISTRATOR GROUP = ADMINISTRATEUR

Same in German ... :-(
The problem is, that if you manage the security policies from an
XP workstation and you do not "browse" the accounts and verify
them in the AD, the workstion will write down the STRING Values
auf a security group and not the SID.

Take a look into the GptTmpl.inf ... :-(

Only solution: Edit GPOs on the Server with a terminal session,
the server will (nearly) always wirte the SID, or choose the
accoutn by browsing.

THe answer form MS to this problem:
Yes, there is a problem ...

Mark

 

[Joe Richards [MVP]]

I have never not seen it insert a SID when you browse for the members, even from XP.

The reason why it has to support both SIDs and names is because it is possible
the accounts may be accounts local to the members which wouldn't have the same
SIDs on every machine.

joe

 

[George Spiro]

Back from a long vacation,

Is it possible to create a Group Policy with the french accounts? In a
english DC.

Thanks in advance,

G.

 

[Mark Heitbrink [MVP]]

Hi,

Is it possible to create a Group Policy with the french accounts?
In a english DC.

Forget about the "names". Just verify, that the SIDs are used.
Otherwise, there is no problem, if the STRING entries are not
efecting any system, that doesn´t support this language.

Mark

 

[George Spiro]

How would I do that to associate SID with the account name?

G.

 

[Mark Heitbrink [MVP]]

F´UP2: microsoft.public.windows.group_policy

How would I do that to associate SID with the account name?

It worked for me to edit the GPO security settings only on the
DC via RDP session or to browse for the names and let them check
if you work from a XP Workstation.

At least you can manually edit and check the GptTmpl.inf of each
policy and work with search and replace. After that you should
open the GPO again in a GUI and change something unessesary and
revert it. Then the file will be written again/actualized but
keeps your settigns and after that be replicated.

Mark