Recently I saw an application failing to do certain check/manipulation with built-in groups/local policies on localized version of Windows Server 2012 R2 (French, German). In localized versions of Windows group names and policy names are translated into localization language. This lead me to a question: what options Microsoft provides to manipulate/address those objects without relying on localized names? Obviously there is some way of doing this otherwise there should be numerous problems with localized versions.
Can somebody tell me what's available for addressing these groups irrespective of localized name? (RID? some API functions?)
Looking at particular issue I saw with localized versions of Windows it seems that there could be some issues with languages which are using letters with diacritical symbols.
Asked
Active
Viewed 1,568 times
2
Mikhail
- 1,295
- 3
- 19
- 35
1 Answers
1
Windows is using SID for securable objects. Buit-in objects have predefinied SID = http://support.microsoft.com/kb/243330/en-us so you can use those while checking localized versions.
You may also use the following approach> https://msdn.microsoft.com/cs-cz/library/system.security.principal.windowsbuiltinrole(v=vs.110).aspx Example in PS:
$currentUser = [Security.Principal.WindowsIdentity]::GetCurrent()
(New-Object Security.Principal.WindowsPrincipal $currentUser).IsInRole(`
[Security.Principal.WindowsBuiltinRole]::Administrator)
Regarding the Policy names = can you please share an example of what you are actually trying to do?
CMy
- 99
- 7
-
Policy names example: I have local policy "Logon as a batch job" which is "Вход в систему в качестве пакетного задания" in Russian version of Windows and I want to check if Domain Users ("Пользователи домена") included there/granted this right. – Mikhail Jan 26 '15 at 13:35
-
Take a look here: https://gallery.technet.microsoft.com/Get-Set-Remove-NT-Rights-0a8a36db in fact the *name* you are looking for is: "SeBatchLogonRight" – CMy Feb 02 '15 at 13:52