I need to reference the "Domain-Admins" group in a batch file. The line in question looks like this:
icacls "test\folder" /grant mydomain.com\Domain-Admins:F
... and works as expected.
But how do I reference the "Domain-Admin" group in general? My german windows server tells me something about "Domänen-Admins", the Italians call ist "Amministratore-Admins" (or whatever) and I dont want to know what the russian Domain Admins call themselves. I did not want to offend any international names, there must just be a solution for a generic adressing of roles. I need a solution for everybody - like Microsoft had in mind (hopefully) when they used SIDs.
I know the SID of the domain admin group looks like S-1-5-21mydomainsid-512, but icacls does not understand S-1-5-21*-512.
How do I use icacls wisely when I need to reference international group names?
You should be able to grant by SID with icacls. Microsoft documentation even has an example granting permissions by SID.
Is each international locale a different domain/sid? You would need to add the sid or icacls separately for each domain into the batch file.