[Samba] GPO administration right on the station for ordinary user

Miguel Medalha medalist at sapo.pt
Mon Apr 3 19:30:58 UTC 2017


> I verified the Wiki doc and here it works like described (without 
> setting a filter). I did exactly what is described in the Wiki. To 
> verify, I added a regular domain user to the domain group I set in the 
> GPO, and after I log in as this user on a domain member, this account 
> had local admin permissions.
>
> Doesn't this work in your installation? What happens if you don't set 
> the filter?
>

Some months ago my GPOs suddenly stopped being applied. After much head 
scratching I found that a Windows 7 security update had brought a change 
of behavior on the part of the Windows 7 clients.

MS16-072: Security update for Group Policy: June 14, 2016
https://support.microsoft.com/en-gb/kb/3159398

The following page explains the issues and the corrective measures.
https://support.microsoft.com/en-gb/kb/3163622

In sum, the "Authenticated Users" and "Domain Computers" group MUST have 
Read Permissions on the Group Policy Object (GPO).

I reported this problem and its solution to this list:
https://lists.samba.org/archive/samba/2016-July/201546.html





More information about the samba mailing list