locked
Built-in groups fail when importing SCM GPO backup in different language RRS feed

  • Question

  • Hi, everybody.

    Using SCM 2.0 on Windows 7 Spanish client against an AD domain which originally was Spanish (although at present all DCs run English version OS).

    With SCM I select XPG-EC-Domain and export it using the backup method.

    Next I launch GPMC on Windows 7, create a new GPO and attempt to import the GPO.  I get warnings:

    (translated from Spanish)

    [Warning] Cannot resolve security identity [Administrators]. The task will continue, however, there may be unresolved security entities in the target GPO.

    Same warning for [Users] and [Guests].

    As the domain was originally in Spanish, group names are Administradores, Usuarios, and Invitados.

    Tried using a migration table, but it doesn't support built-in groups.

    Please advice on how to copy the SCM GPOs in a non English environment.

    Thanks and regards,

    Mario

    Wednesday, February 8, 2012 7:21 PM

Answers

  • Mario;

    thanks for testing so thoroughly and sharing your results. I'll ask the developers of SCM to take a look at this thread and make sure that we're creating GPO backups that are as close as feasible to what GPMC generates. I'm pretty sure that that's what SCM does already though, if that's the case then I don't think there's anything they can do to make it easier to import GPOs into domains that are running languages other than US English.

    Chau;

    Kurt


    Kurt Dillard http://www.kurtdillard.com


    • Edited by Kurt Dillard Monday, February 13, 2012 3:22 PM
    • Marked as answer by mdgrkb Tuesday, February 14, 2012 1:44 PM
    Monday, February 13, 2012 3:03 PM
  • Mario;

    One of my colleagues who has seen the situation you encountered explained to me that its actually just a warning when you start the import in GPMC, and that you can ignore it and proceed with the import. He also suggested a simple workaround if you don't want to see the warning when importing the same GPO in the future:

    1. create the GPO in SCM.

    2. import it and dismiss the error in GPMC.

    3. export it from GPMC.

    4. share with coworkers and/or copy to other domains for importation.

    We don't think its a bug in SCM, but rather the way moving GPOs between domains with different locales is supposed to function. The workaround above can help ensure that  your customers and coworkers don't have to see the warning message.


    Kurt Dillard http://www.kurtdillard.com

    • Proposed as answer by Kurt Dillard Tuesday, February 14, 2012 7:32 PM
    • Marked as answer by mdgrkb Thursday, February 16, 2012 9:26 PM
    Tuesday, February 14, 2012 7:32 PM

All replies

  • Mario;

    We only tested SCM on versions of Windows running US-English, so you may run into unexpected results. This particular behavior occurs because some of the baselines include account names, for example, all of the user rights assignment policy settings. I think you already understand that when you import a GPO backup that includes account names GPMC will display a warning and ask you if you'd like to provide a migration table. The thing is, SCM exports the SID for each built-in group, so mapping of Administrators to Administradores should be seemless. Can you send me a copy of the baseline and/or GPO backup file at secwish@microsoft.com? I'm curious which settings are not represented by well-known SIDs. Please include a link to this thread in your email.

    Regards,

    Kurt


    Kurt Dillard http://www.kurtdillard.com

    Wednesday, February 8, 2012 8:11 PM
  • Hi, Kurt.

    Thanks for your reply.

    I just sent the GPO backup you requested.

    Thanks,

    Mario

    Thursday, February 9, 2012 9:07 PM
  • Mario,

    I hope to have time to review what you sent later today.

    Kurt


    Kurt Dillard http://www.kurtdillard.com

    Friday, February 10, 2012 4:00 PM
  • Hi, Kurt.

    From my investigation, in particular with the XPG-EC-Domain GPO, it's the Backup.xml file the one that includes references to built-in groups by name.  The GptTmpl.inf file makes no reference to them.

    I replaced Administrators/Administradores; Users/Usuarios; Guests/Invitados within Backup.xml and the import was successful.

    Now, for other GPO's, there might be several references within different GPO files, and I suspect some of them could be in binary format.

    I understand manually editing the GPO files isn´t supported, but I did just this one file for testing purposes.

    Hope you can check the GPO Backup mechanism so it uses well known SIDs instead of name references to them.

    Thanks,

    Mario

    Friday, February 10, 2012 6:37 PM
  • ...

    As for XPG-EC-Desktop, this one does contain built-in groups references within user rights section, and those seem to be imported correctly (just checked some of them).

    So it seems the issue is only cosmetic and related only with the Backup.xml file.  Still, I hope the dev team will look into this and further ensure no GPO settings are failing to be imported in this non-english scenario.

    Thanks,

    Mario

    Friday, February 10, 2012 7:10 PM
  • Mario;

    thanks for testing so thoroughly and sharing your results. I'll ask the developers of SCM to take a look at this thread and make sure that we're creating GPO backups that are as close as feasible to what GPMC generates. I'm pretty sure that that's what SCM does already though, if that's the case then I don't think there's anything they can do to make it easier to import GPOs into domains that are running languages other than US English.

    Chau;

    Kurt


    Kurt Dillard http://www.kurtdillard.com


    • Edited by Kurt Dillard Monday, February 13, 2012 3:22 PM
    • Marked as answer by mdgrkb Tuesday, February 14, 2012 1:44 PM
    Monday, February 13, 2012 3:03 PM
  • Mario;

    One of my colleagues who has seen the situation you encountered explained to me that its actually just a warning when you start the import in GPMC, and that you can ignore it and proceed with the import. He also suggested a simple workaround if you don't want to see the warning when importing the same GPO in the future:

    1. create the GPO in SCM.

    2. import it and dismiss the error in GPMC.

    3. export it from GPMC.

    4. share with coworkers and/or copy to other domains for importation.

    We don't think its a bug in SCM, but rather the way moving GPOs between domains with different locales is supposed to function. The workaround above can help ensure that  your customers and coworkers don't have to see the warning message.


    Kurt Dillard http://www.kurtdillard.com

    • Proposed as answer by Kurt Dillard Tuesday, February 14, 2012 7:32 PM
    • Marked as answer by mdgrkb Thursday, February 16, 2012 9:26 PM
    Tuesday, February 14, 2012 7:32 PM
  • Thank you all for your help.  Will proceed as suggested.

    Best regards,

    Mario

    Thursday, February 16, 2012 9:27 PM