[Samba] Samba4 Disable USB ports

L.P.H. van Belle belle at bazuin.nl
Fri May 22 06:26:52 MDT 2015 

Hai, 

>I don't know if is a Windows problem, but i've got the same behavior trying
>to set Firewall rules. I've fixed the problem changing the "Domain Users"
>in GPO "Security Filter" for "Authenticated Users" and now is working fine.

i suggest you start reading from here.
http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part1.html
http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part2.html
http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Top-10-Reasons-Why-Group-Policy-Fails-to-Apply-Part3.html

I bet your missing a right as shown in Part 2, picture 3. ( the Aply group policy right ) 

and you can try with adding : 
 acl_xattr:ignore system acl = yes 
to netlogon and sysvol share.

Louis


>-----Oorspronkelijk bericht-----
>Van: gabriel.franca at gmail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Gabriel Franca
>Verzonden: vrijdag 22 mei 2015 14:09
>Aan: Daniel Carrasco Marín
>CC: samba at lists.samba.org; Neil
>Onderwerp: Re: [Samba] Samba4 Disable USB ports
>
>Good morning Daniel,
>
>The amendment that I spoke have to be done on the server.
>
>All user created in Samba4 receives the "Domain Users" group 
>as primary.
>
>I did several tests on the GPO to no avail.
>
>When I took the User of the "Domain Users" and put in "Domain 
>Admins" the GPO to make any changes now operates.
>
>I believe that because of the "Domain Users" did not have 
>privileges to edit the GPO record in the station can not be applied.
>
>I wonder if the guys who are using Samba 4, is using 
>successfully GPOS the "Domain Users"
>
>Sincerely,
>
>Gabriel Franca
>
>
>
>> Em 22/05/2015, à(s) 09:01, Daniel Carrasco Marín 
><danielmadrid19 at gmail.com> escreveu:
>> 
>> 
>> 
>> 2015-05-22 13:32 GMT+02:00 Gabriel Franca 
><gabriel.franca at gmail.com <mailto:gabriel.franca at gmail.com>>:
>> 
>> I found it strange more and something I have already noticed a while.
>> 
>> No GPO is applied when the User is the "Domain Users", so I 
>wonder if I'm doing something wrong or I have to change something.
>> 
>> I believe the "Domain Users" are not allowed to change the 
>Windows registry so the issue.
>> 
>> Sincerely,
>> 
>> Gabriel Franca
>> 
>> 
>> I don't know if is a Windows problem, but i've got the same 
>behavior trying to set Firewall rules. I've fixed the problem 
>changing the "Domain Users" in GPO "Security Filter" for 
>"Authenticated Users" and now is working fine.
>> 
>> I hope this help.
>> 
>> Greetings!!
>>  
>> 
>> > Em 22/05/2015, à(s) 02:31, Neil <nwilson123 at gmail.com 
><mailto:nwilson123 at gmail.com>> escreveu:
>> >
>> > Good morning everyone,
>> >
>> > Gabriel: I haven't had a chance to test this yet, but I'm 
>also needing the same IE: Domain Users to have the GPO 
>applied. Did you come right with this?
>> >
>> > Andrey: Thank you for letting me know about the SysVol 
>replication across DC's, I haven't enabled this yet and will 
>be doing so, is there anything I should watch out for? I'll 
>just be using the 
>"https://wiki.samba.org/index.php/SysVol_Replication 
><https://wiki.samba.org/index.php/SysVol_Replication> 
><https://wiki.samba.org/index.php/SysVol_Replication 
><https://wiki.samba.org/index.php/SysVol_Replication>>" 
>because I don't require Bi-Directional Replication.
>> >
>> > Thank you.
>> >
>> > Regards.
>> >
>> > Neil Wilson.
>> >
>> >
>> > On Thu, May 21, 2015 at 1:22 PM, Gabriel Franca 
><gabriel.franca at gmail.com <mailto:gabriel.franca at gmail.com> 
><mailto:gabriel.franca at gmail.com 
><mailto:gabriel.franca at gmail.com>>> wrote:
>> > Good morning friends !!!
>> >
>> > I am following this topic and performed some tests to 
>validate the process and noted the following.
>> >
>> > 1) when the User is the "Domain Users" GPO is not applied.
>> >
>> > 2) when the user is the "Domain Admins" the GPO is applied.
>> >
>> > Is there any way to apply the GPOS "Domain Users" ???
>> >
>> > Sincerely,
>> >
>> > Gabriel Franca
>> >
>> >
>> > > Em 20/05/2015, à(s) 09:37, Neil <nwilson123 at gmail.com 
><mailto:nwilson123 at gmail.com> <mailto:nwilson123 at gmail.com 
><mailto:nwilson123 at gmail.com>>> escreveu:
>> > >
>> > > Hi Louis,
>> > >
>> > > Thank you very much for your speedy response. I'll 
>definitely go ahead and
>> > > investigate further.
>> > >
>> > > Much appreciated.
>> > >
>> > > Regards.
>> > >
>> > > Neil Wilson.
>> > >
>> > > On Wed, May 20, 2015 at 1:24 PM, L.P.H. van Belle 
><belle at bazuin.nl <mailto:belle at bazuin.nl> 
><mailto:belle at bazuin.nl <mailto:belle at bazuin.nl>>> wrote:
>> > >
>> > >> yes, this is possible, by GPO.
>> > >>
>> > >> In GPO, go to:
>> > >> (user or computer )Configuration
>> > >>        - Policy
>> > >>                ? Administrative template
>> > >>                        ? System
>> > >>                                ? Removable storage Access
>> > >>
>> > >> Play with these settings to get what you want.
>> > >>
>> > >> for Managing Hardware Restrictions via Group Policy read :
>> > >> 
>http://technet.microsoft.com/en-us/magazine/cc138012.aspx 
><http://technet.microsoft.com/en-us/magazine/cc138012.aspx> 
><http://technet.microsoft.com/en-us/magazine/cc138012.aspx 
><http://technet.microsoft.com/en-us/magazine/cc138012.aspx>>
>> > >>
>> > >>
>> > >> Greetz,
>> > >>
>> > >> Louis
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>> -----Oorspronkelijk bericht-----
>> > >>> Van: nwilson123 at gmail.com 
><mailto:nwilson123 at gmail.com> <mailto:nwilson123 at gmail.com 
><mailto:nwilson123 at gmail.com>>
>> > >>> [mailto:samba-bounces at lists.samba.org 
><mailto:samba-bounces at lists.samba.org> 
><mailto:samba-bounces at lists.samba.org 
><mailto:samba-bounces at lists.samba.org>>] Namens Neil
>> > >>> Verzonden: woensdag 20 mei 2015 12:10
>> > >>> Aan: samba
>> > >>> Onderwerp: [Samba] Samba4 Disable USB ports
>> > >>>
>> > >>> Hi guys,
>> > >>>
>> > >>> I'm running a Sernet-samba-ad-4.1.17-11.el6.x86_64 PDC 
>with another 4
>> > >>> Samba4 DC's all joined to the same AD domain myorg.local
>> > >>>
>> > >>> My client wants me to disable all USB ports for all the users
>> > >>> joined to the
>> > >>> domain.
>> > >>>
>> > >>> Is it possible to do this via a group policy so that users
>> > >>> logging onto any
>> > >>> of the DC's will not be able to use their USB ports?
>> > >>>
>> > >>> I currently admin my AD with a combination of the samba-tool
>> > >>> as well as the
>> > >>> AD Users and Groups MMC Windows utility.
>> > >>>
>> > >>> Any guidance is greatly appreciated.
>> > >>>
>> > >>> Thank you.
>> > >>>
>> > >>> Regards.
>> > >>>
>> > >>> Neil Wilson
>> > >>> --
>> > >>> To unsubscribe from this list go to the following URL 
>and read the
>> > >>> instructions:  
>https://lists.samba.org/mailman/options/samba 
><https://lists.samba.org/mailman/options/samba> 
><https://lists.samba.org/mailman/options/samba 
><https://lists.samba.org/mailman/options/samba>>
>> > >>>
>> > >>>
>> > >>
>> > >> --
>> > >> To unsubscribe from this list go to the following URL 
>and read the
>> > >> instructions:  
>https://lists.samba.org/mailman/options/samba 
><https://lists.samba.org/mailman/options/samba> 
><https://lists.samba.org/mailman/options/samba 
><https://lists.samba.org/mailman/options/samba>>
>> > >>
>> > > --
>> > > To unsubscribe from this list go to the following URL 
>and read the
>> > > instructions:  
>https://lists.samba.org/mailman/options/samba 
><https://lists.samba.org/mailman/options/samba> 
><https://lists.samba.org/mailman/options/samba 
><https://lists.samba.org/mailman/options/samba>>
>> >
>> >
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba 
><https://lists.samba.org/mailman/options/samba>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list