Group policy problem

To my surprise I just discovered this....

I have been playing with GPO for close to 5 years now. I consider myself a
expert and took something for granted to find out that i was wrong.

You see I live in the wonderful province of Quebec where we have Bilingual
users. So I have FRENCH workstations and ENGLISH workstations. I am not
using MUI. So I created a bunch of group policies everything looked fine
except for 1 thing. In group policies the restritive groups:

PowerUsers and Administrators werent updating the french workstations. The
only thing I could imagine is that STUPID Microsoft did not make those
policies mention:

POWERUSER GROUP = Usager avec pouvoir
ADMINISTRATOR GROUP = ADMINISTRATEUR

I am wondering how did you guys correct this problem in a Multilanguage
environment.

G.

Hi,

George Spiro schrieb:
> POWERUSER GROUP = Usager avec pouvoir
> ADMINISTRATOR GROUP = ADMINISTRATEUR

Same in German ... :-(
The problem is, that if you manage the security policies from an
XP workstation and you do not "browse" the accounts and verify
them in the AD, the workstion will write down the STRING Values
auf a security group and not the SID.

Take a look into the GptTmpl.inf ... :-(

Only solution: Edit GPOs on the Server with a terminal session,
the server will (nearly) always wirte the SID, or choose the
accoutn by browsing.

THe answer form MS to this problem:
Yes, there is a problem ...

Mark
--
Mark Heitbrink - MVP Windows Server
Homepage: www.gruppenrichtlinien.de
W2K FAQ : http://w2k-faq.ebend.de
PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.

I have never not seen it insert a SID when you browse for the members, even from XP.

The reason why it has to support both SIDs and names is because it is possible
the accounts may be accounts local to the members which wouldn't have the same
SIDs on every machine.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Mark Heitbrink [MVP] wrote:
> Hi,
>
> George Spiro schrieb:
>> POWERUSER GROUP = Usager avec pouvoir
>> ADMINISTRATOR GROUP = ADMINISTRATEUR
>
> Same in German ... :-(
> The problem is, that if you manage the security policies from an
> XP workstation and you do not "browse" the accounts and verify
> them in the AD, the workstion will write down the STRING Values
> auf a security group and not the SID.
>
> Take a look into the GptTmpl.inf ... :-(
>
> Only solution: Edit GPOs on the Server with a terminal session,
> the server will (nearly) always wirte the SID, or choose the
> accoutn by browsing.
>
> THe answer form MS to this problem:
> Yes, there is a problem ...
>
> Mark

Back from a long vacation,

Is it possible to create a Group Policy with the french accounts? In a
english DC.

Thanks in advance,

G.


"Joe Richards [MVP]" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
>I have never not seen it insert a SID when you browse for the members, even
>from XP.
>
> The reason why it has to support both SIDs and names is because it is
> possible the accounts may be accounts local to the members which wouldn't
> have the same SIDs on every machine.
>
> joe
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Mark Heitbrink [MVP] wrote:
>> Hi,
>>
>> George Spiro schrieb:
>>> POWERUSER GROUP = Usager avec pouvoir
>>> ADMINISTRATOR GROUP = ADMINISTRATEUR
>>
>> Same in German ... :-(
>> The problem is, that if you manage the security policies from an
>> XP workstation and you do not "browse" the accounts and verify
>> them in the AD, the workstion will write down the STRING Values
>> auf a security group and not the SID.
>>
>> Take a look into the GptTmpl.inf ... :-(
>>
>> Only solution: Edit GPOs on the Server with a terminal session,
>> the server will (nearly) always wirte the SID, or choose the
>> accoutn by browsing.
>>
>> THe answer form MS to this problem:
>> Yes, there is a problem ...
>>
>> Mark

Hi,

George Spiro schrieb:
> Is it possible to create a Group Policy with the french accounts?
> In a english DC.

Forget about the "names". Just verify, that the SIDs are used.
Otherwise, there is no problem, if the STRING entries are not
efecting any system, that doesn´t support this language.

Mark
--
Mark Heitbrink - MVP Windows Server
Homepage: www.gruppenrichtlinien.de
W2K FAQ : http://w2k-faq.ebend.de
PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.

How would I do that to associate SID with the account name?

G.

"Mark Heitbrink [MVP]" <spam-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> George Spiro schrieb:
>> Is it possible to create a Group Policy with the french accounts?
>> In a english DC.
>
> Forget about the "names". Just verify, that the SIDs are used.
> Otherwise, there is no problem, if the STRING entries are not
> efecting any system, that doesn´t support this language.
>
> Mark
> --
> Mark Heitbrink - MVP Windows Server
> Homepage: www.gruppenrichtlinien.de
> W2K FAQ : http://w2k-faq.ebend.de
> PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.

F´UP2: microsoft.public.windows.group_policy

George Spiro schrieb:
> How would I do that to associate SID with the account name?

It worked for me to edit the GPO security settings only on the
DC via RDP session or to browse for the names and let them check
if you work from a XP Workstation.

At least you can manually edit and check the GptTmpl.inf of each
policy and work with search and replace. After that you should
open the GPO again in a GUI and change something unessesary and
revert it. Then the file will be written again/actualized but
keeps your settigns and after that be replicated.

Mark
--
Mark Heitbrink - MVP Windows Server
Homepage: www.gruppenrichtlinien.de
W2K FAQ : http://w2k-faq.ebend.de
PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.