[Samba] GPO Security Filtering "Access Denied"

Alex Crow acrow at integrafin.co.uk
Mon Dec 19 18:51:44 UTC 2016

On 19/12/16 18:27, Alex Crow via samba wrote:
> On 19/12/16 17:57, Miguel medalha wrote:
>>>> No, I don't, because this is a loopback and I only want certain
>>>> users on these computers to have the screensaver and lock disabled.
>>>> If I did that it would apply to everyone.
>> No, it wouldn't apply to everyone. As of April this year, according
>> to Microsoft, all policies must have "Authenticated Users" with
>> "Read" privilege. Note that in order to apply a policy you need to
>> have "Read" AND "Apply" under security filtering.
> If that is the case, why when "Authenticated users" is in the list, it
> applies to *every* user on those machines? Right now it behaves as
> expected but I just won't  be able to add more that 6 entities to the
> list when I finally need to. The 7th one I try to add is *no*
> different to any of the other's I added before.
> There also is no option to change anything with regard to "read" or
> "apply" in security filtering.
> When it's a loopback policy, according to MS you have to either add
> either "Domain Computers", a particular computer account, or a group
> of computer accounts. This works for me, until I will have to add more
> than 6 groups or accounts!
> Cheers
> Alex
Just thinking out loud, could this be because sysvol is on XFS and I
didn't tune to allow extra space for xattrs? The FS that contains sysvol
was formatted with defaults and is mounted as:



This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).

More information about the samba mailing list