[Samba] Group Policy Permissions
Michal Sládek
michal at sladkovi.eu
Wed Aug 15 16:34:58 UTC 2018
2018-08-15 6:56 GMT+02:00 Michal Sládek <michal at sladkovi.eu>:
> 2018-08-14 22:51 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>
> :
>
>> On Tue, 14 Aug 2018 20:52:04 +0200
>> Michal Sládek via samba <samba at lists.samba.org> wrote:
>>
>> > 2018-08-14 20:38 GMT+02:00 Rowland Penny via samba
>> > <samba at lists.samba.org>:
>> >
>> > > On Tue, 14 Aug 2018 20:15:04 +0200
>> > > Michal Sládek via samba <samba at lists.samba.org> wrote:
>> > >
>> > > > Thank you for your suggestion, I read the whole discussion.
>> > > >
>> > > > My situation is little bit different - my machine policy works,
>> > > > but it stops working once I remove Apply permission from
>> > > > Authenticated Users and replace it with Read and Apply permission
>> > > > for Domain Computers.
>> > > >
>> > > > Group Policy Results in RSAT shows Reason Denied: Access Denied
>> > > > (Security Filtering) for affected computer.
>> > > >
>> > > > The same result I get with command gpresult /Z /SCOPE COMPUTER:
>> > > >
>> > > > The following GPOs were not applied because they were
>> > > > filtered out
>> > > > -------------------------------------------------------------------
>> > > > Import CA Certificates Filtering: Denied (Security)
>> > > >
>> > > > I don't understand why Domain Computers group is not enough...
>> > > >
>> > >
>> > > That triggered a memory 'MS16-072', see here:
>> > >
>> > > https://support.microsoft.com/en-gb/help/3159398/ms16-072-
>> > > description-of-the-security-update-for-group-policy-june-14-2
>> > >
>> > > and here:
>> > >
>> > > https://support.microsoft.com/en-gb/help/3163622/ms16-072-
>> > > security-update-for-group-policy-june-14-2016
>> > >
>> > > Also here:
>> > >
>> > > https://social.technet.microsoft.com/Forums/windows/
>> > > en-US/dd21b3cc-d000-48a6-8b35-60ffbbb9fda4/errors-after-
>> > > ms16072-updates?forum=winserverGP
>> > >
>> > > Rowland
>> > >
>> >
>> > I know about those changes, but they affected only user policies
>> > (context changed from user to computer account while retrieving the
>> > policy from server).
>>
>> What is the difference between an AD user and a computer ?
>>
>> One objectclass -> 'computer'
>> The 'sAMAccountName' attribute content has a '$' on the end.
>> That is it.
>>
>> A computer, when it is logged in, is a member of 'Authenticated Users'
>>
>> Rowland
>>
>
> That is exactly the reason why I would expect computer configuration group
> policy to work with Domain Computers group.
>
> But your note inspired me to make another test. I changed Security
> Filtering from Domain Computers group to a computer account, in my case
> WINMGMT$ (AD\WINMGMT$). And the policy started to work which really makes
> me crazy. What is the difference? Winmgmt computer is a domain member and
> so the member of Domain Computers group.
>
> Now I really don't understand the behavior. The group policy is linked to
> the whole domain, I didn't create any custom OU...
>
> Michal
>
Does anybody have any suggestion, why group policies related to computer
configuration work when Security Filtering is set to Authenticated Users or
computer account but don't work when Security Filtering is set to Domain
Computers group? I would really like to know, whether this is bug in Samba
code or in my brain...
Michal
More information about the samba
mailing list