[Samba] Rights issue on GPO

L.P.H. van Belle belle at bazuin.nl
Mon Jun 27 13:37:12 UTC 2016 

A good howto per exampl.e 

http://www.itingredients.com/how-to-disable-usb-ports-using-group-policy/

Only i did not do this as computer policy but as user policy. 

In short, 
1) create 2 groups:
 	USB-Allowed
	USB-Denied

2) create 2 policies objects, 
	USB-Allowed
	USB-Denied

And set in the allow polices  
( as shown in the link but under the user polcies ) 

3) add correct group to the same GPO object.  ( allowed with allowed , etc ) 

3) link the polcies objects in a OU where you can test and where the user is.

4) set the order of these policies to Allowed above the Denied.
	Order 123 , is applied as 3 2 1. 
	1 is highest so..

This is bit like i have ... 

Domain users, alle external devices are denied. 
And based on group memberships : 
DVD-Read
DVD-Write
USB-.. . etc etc. 

And alle these are failing.
I noticed all security groups which are not "Authenticated Users" are failing. 

Which is a problem for me since all my policies are group right based. 

I also noticed that in my Samba 4 AD DC domain i have 4 groups in "
ForeignSecurityPrincipals  (CN=ForeignSecurityPrincipals ) 
S-1-5-4	( Member of : Users in CN=Buildin ) 
S-1-5-11	( member of : Users and Pre-windows 2000...  ) in CN=Buildin
S-1-5-17	( member of : IIS_IUSRS  ) in CN=Buildin
S-1-5-9	( member of : Windows Authorization Access Group ) in CN=Buildin

I dont see any in ForeignSecurityPrincipals on my 2008R2



Greetz, 

Louis



> 
> 
> Two things Louis:
> 
> if you look very closely at the differences in the 'ERROR' message, you
> will find the only difference is this:
> 
> O:LAG:DAD:PAR(
> 
> against the expected:
> 
> O:DAG:DAD:PAR(
> 
> The returned ACL is owned by the 'Local Admins', but it should be owned
> by 'Domain Admins'. As far as I can see, windows doesn't really care who
> owns an object, as long as the ACEs are correct and they are!
> 
> Secondly, more than happy to try adding a GPO, only problem is, I have
> never really added one, can you point me at a good howto ?
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list