Re: foreign language gpo
- From: "Andrew Story" <AndrewDOTstoryATjameswalkerBOTbiz>
- Date: Thu, 2 Aug 2007 15:03:56 +0100
Mark - thankyou.
Your help is very much appreciated.
"Mark Heitbrink [MVP]" <spam-only@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:OhPVv$N1HHA.1184@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
Andrew Story schrieb:
Part of my issue was that I added a policy to allow power users the
rights
to add/remove device drivers. It works fine on all machines apart from
some
that have a French OS. These particular clients have lots of SCEcli
event
id:1202 errors, this seems to be caused by the fact that the name of the
power users group on a french OS is spelt different than from an English
OS
(most machines are win2k, Policy editing machine is Win XP with GPMC).
Alright, then you don´t have only the problem of ADMs, which is easy
to handle, because ADMs are only in the wrong language, but still work,
because it´s only registry editing.
Your problem with the Power Users Group is a little bit more difficult.
The problem is, that your edit the GPO from a system, that did not write
the SID of the group into the GPO, it wrotes the STRING (Name) of the
group and the name is always different in the different languages.
You need the SID (Wellknown ID) of the group inside your GPO, to get it
work.
Usually, if you use the GPMC on a DC (not a 2003 member srv, or XP
Workstation) the DC will always use the SID, not the Name.
There is a known "bug" if you are editing from a member and enter the
name of the group without browsing the AD.
There is a special issue with the "Power Users", because they are not
existent in a AD, only locally on a client and so, the group can´t be
found by browsing.
Best way to handle it:
Take a client and open MMC -> Snapin "Security Templates" -> create a new
Edit the template to fit your need and save the "mysettings.inf".
Open the file:
It should look like this:
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Privilege Rights]
SeLoadDriverPrivilege = Power Users
^^^^^^^^^^^
thats the NAME/STRING we don´t want this!
Change it to:
SeLoadDriverPrivilege = *S-1-5-32-547
"Well-known security identifiers in Windows operating systems"
http://support.microsoft.com/kb/243330/en-us
Be sure to add the "*", otherwise, the "number" will be taken as
a STRING and not as a SID.
Save this file and open the GPO, move to "Security Settings" in
your computer config and right click on it. Import your INF file.
Now, the "SeLoadDriverPrivilege" is defined to use the Wellknown SID
and it will work in every language.
Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy
Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
.
- References:
- foreign language gpo
- From: Andrew Story
- Re: foreign language gpo
- From: Mark Heitbrink [MVP]
- Re: foreign language gpo
- From: Andrew Story
- Re: foreign language gpo
- From: Mark Heitbrink [MVP]
- foreign language gpo
- Prev by Date: Re: GPO setting
- Next by Date: Re: Add Shortcut to All User's Profile on mulitple machines
- Previous by thread: Re: foreign language gpo
- Next by thread: Install Printer(s) Remove Pritner(s)
- Index(es):
Relevant Pages
|
