[Samba] Rights issue on GPO
L.P.H. van Belle
belle at bazuin.nl
Mon Jun 27 13:37:12 UTC 2016
A good howto per exampl.e
http://www.itingredients.com/how-to-disable-usb-ports-using-group-policy/
Only i did not do this as computer policy but as user policy.
In short,
1) create 2 groups:
USB-Allowed
USB-Denied
2) create 2 policies objects,
USB-Allowed
USB-Denied
And set in the allow polices
( as shown in the link but under the user polcies )
3) add correct group to the same GPO object. ( allowed with allowed , etc )
3) link the polcies objects in a OU where you can test and where the user is.
4) set the order of these policies to Allowed above the Denied.
Order 123 , is applied as 3 2 1.
1 is highest so..
This is bit like i have ...
Domain users, alle external devices are denied.
And based on group memberships :
DVD-Read
DVD-Write
USB-.. . etc etc.
And alle these are failing.
I noticed all security groups which are not "Authenticated Users" are failing.
Which is a problem for me since all my policies are group right based.
I also noticed that in my Samba 4 AD DC domain i have 4 groups in "
ForeignSecurityPrincipals (CN=ForeignSecurityPrincipals )
S-1-5-4 ( Member of : Users in CN=Buildin )
S-1-5-11 ( member of : Users and Pre-windows 2000... ) in CN=Buildin
S-1-5-17 ( member of : IIS_IUSRS ) in CN=Buildin
S-1-5-9 ( member of : Windows Authorization Access Group ) in CN=Buildin
I dont see any in ForeignSecurityPrincipals on my 2008R2
Greetz,
Louis
>
>
> Two things Louis:
>
> if you look very closely at the differences in the 'ERROR' message, you
> will find the only difference is this:
>
> O:LAG:DAD:PAR(
>
> against the expected:
>
> O:DAG:DAD:PAR(
>
> The returned ACL is owned by the 'Local Admins', but it should be owned
> by 'Domain Admins'. As far as I can see, windows doesn't really care who
> owns an object, as long as the ACEs are correct and they are!
>
> Secondly, more than happy to try adding a GPO, only problem is, I have
> never really added one, can you point me at a good howto ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list