[Samba] Samba4 Disable USB ports

Daniel Carrasco Marín danielmadrid19 at gmail.com
Fri May 22 06:25:01 MDT 2015


2015-05-22 14:08 GMT+02:00 Gabriel Franca <gabriel.franca at gmail.com>:

> Good morning Daniel,
>
> The amendment that I spoke have to be done on the server.
>
> All user created in Samba4 receives the "Domain Users" group as primary.
>
> I did several tests on the GPO to no avail.
>
> When I took the User of the "Domain Users" and put in "Domain Admins" the
> GPO to make any changes now operates.
>
> I believe that because of the "Domain Users" did not have privileges to
> edit the GPO record in the station can not be applied.
>
> I wonder if the guys who are using Samba 4, is using successfully GPOS the
> "Domain Users"
>
> Sincerely,
>
> Gabriel Franca
>

Good morning Gabriel,

Yes, I know it, and i'm talking about GPO policies on a Samba 4 AD using
RSAT tools. I don't know why but it happen just as you said, when you try
to set a policy to a "Domain Users" or "Domain Computers" is not applied,
but if you use "Authenticated Users" as "Security Filter" on GPO then it
works.

I attach two images so you see what I mean.

Greetings!!


>
>
> Em 22/05/2015, à(s) 09:01, Daniel Carrasco Marín <danielmadrid19 at gmail.com>
> escreveu:
>
>
>
> 2015-05-22 13:32 GMT+02:00 Gabriel Franca <gabriel.franca at gmail.com>:
>
>>
>> I found it strange more and something I have already noticed a while.
>>
>> No GPO is applied when the User is the "Domain Users", so I wonder if I'm
>> doing something wrong or I have to change something.
>>
>> I believe the "Domain Users" are not allowed to change the Windows
>> registry so the issue.
>>
>> Sincerely,
>>
>> Gabriel Franca
>>
>>
> I don't know if is a Windows problem, but i've got the same behavior
> trying to set Firewall rules. I've fixed the problem changing the "Domain
> Users" in GPO "Security Filter" for "Authenticated Users" and now is
> working fine.
>
> I hope this help.
>
> Greetings!!
>
>
>>
>> > Em 22/05/2015, à(s) 02:31, Neil <nwilson123 at gmail.com> escreveu:
>> >
>> > Good morning everyone,
>> >
>> > Gabriel: I haven't had a chance to test this yet, but I'm also needing
>> the same IE: Domain Users to have the GPO applied. Did you come right with
>> this?
>> >
>> > Andrey: Thank you for letting me know about the SysVol replication
>> across DC's, I haven't enabled this yet and will be doing so, is there
>> anything I should watch out for? I'll just be using the "
>> https://wiki.samba.org/index.php/SysVol_Replication <
>> https://wiki.samba.org/index.php/SysVol_Replication>" because I don't
>> require Bi-Directional Replication.
>> >
>> > Thank you.
>> >
>> > Regards.
>> >
>> > Neil Wilson.
>> >
>> >
>> > On Thu, May 21, 2015 at 1:22 PM, Gabriel Franca <
>> gabriel.franca at gmail.com <mailto:gabriel.franca at gmail.com>> wrote:
>> > Good morning friends !!!
>> >
>> > I am following this topic and performed some tests to validate the
>> process and noted the following.
>> >
>> > 1) when the User is the "Domain Users" GPO is not applied.
>> >
>> > 2) when the user is the "Domain Admins" the GPO is applied.
>> >
>> > Is there any way to apply the GPOS "Domain Users" ???
>> >
>> > Sincerely,
>> >
>> > Gabriel Franca
>> >
>> >
>> > > Em 20/05/2015, à(s) 09:37, Neil <nwilson123 at gmail.com <mailto:
>> nwilson123 at gmail.com>> escreveu:
>> > >
>> > > Hi Louis,
>> > >
>> > > Thank you very much for your speedy response. I'll definitely go
>> ahead and
>> > > investigate further.
>> > >
>> > > Much appreciated.
>> > >
>> > > Regards.
>> > >
>> > > Neil Wilson.
>> > >
>> > > On Wed, May 20, 2015 at 1:24 PM, L.P.H. van Belle <belle at bazuin.nl
>> <mailto:belle at bazuin.nl>> wrote:
>> > >
>> > >> yes, this is possible, by GPO.
>> > >>
>> > >> In GPO, go to:
>> > >> (user or computer )Configuration
>> > >>        - Policy
>> > >>                – Administrative template
>> > >>                        – System
>> > >>                                – Removable storage Access
>> > >>
>> > >> Play with these settings to get what you want.
>> > >>
>> > >> for Managing Hardware Restrictions via Group Policy read :
>> > >> http://technet.microsoft.com/en-us/magazine/cc138012.aspx <
>> http://technet.microsoft.com/en-us/magazine/cc138012.aspx>
>> > >>
>> > >>
>> > >> Greetz,
>> > >>
>> > >> Louis
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>> -----Oorspronkelijk bericht-----
>> > >>> Van: nwilson123 at gmail.com <mailto:nwilson123 at gmail.com>
>> > >>> [mailto:samba-bounces at lists.samba.org <mailto:
>> samba-bounces at lists.samba.org>] Namens Neil
>> > >>> Verzonden: woensdag 20 mei 2015 12:10
>> > >>> Aan: samba
>> > >>> Onderwerp: [Samba] Samba4 Disable USB ports
>> > >>>
>> > >>> Hi guys,
>> > >>>
>> > >>> I'm running a Sernet-samba-ad-4.1.17-11.el6.x86_64 PDC with another
>> 4
>> > >>> Samba4 DC's all joined to the same AD domain myorg.local
>> > >>>
>> > >>> My client wants me to disable all USB ports for all the users
>> > >>> joined to the
>> > >>> domain.
>> > >>>
>> > >>> Is it possible to do this via a group policy so that users
>> > >>> logging onto any
>> > >>> of the DC's will not be able to use their USB ports?
>> > >>>
>> > >>> I currently admin my AD with a combination of the samba-tool
>> > >>> as well as the
>> > >>> AD Users and Groups MMC Windows utility.
>> > >>>
>> > >>> Any guidance is greatly appreciated.
>> > >>>
>> > >>> Thank you.
>> > >>>
>> > >>> Regards.
>> > >>>
>> > >>> Neil Wilson
>> > >>> --
>> > >>> To unsubscribe from this list go to the following URL and read the
>> > >>> instructions:  https://lists.samba.org/mailman/options/samba <
>> https://lists.samba.org/mailman/options/samba>
>> > >>>
>> > >>>
>> > >>
>> > >> --
>> > >> To unsubscribe from this list go to the following URL and read the
>> > >> instructions:  https://lists.samba.org/mailman/options/samba <
>> https://lists.samba.org/mailman/options/samba>
>> > >>
>> > > --
>> > > To unsubscribe from this list go to the following URL and read the
>> > > instructions:  https://lists.samba.org/mailman/options/samba <
>> https://lists.samba.org/mailman/options/samba>
>> >
>> >
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
>


More information about the samba mailing list