[Samba] GPO administration right on the station for ordinary user

Miguel Medalha medalist at sapo.pt
Mon Apr 3 19:30:58 UTC 2017

> I verified the Wiki doc and here it works like described (without 
> setting a filter). I did exactly what is described in the Wiki. To 
> verify, I added a regular domain user to the domain group I set in the 
> GPO, and after I log in as this user on a domain member, this account 
> had local admin permissions.
> Doesn't this work in your installation? What happens if you don't set 
> the filter?

Some months ago my GPOs suddenly stopped being applied. After much head 
scratching I found that a Windows 7 security update had brought a change 
of behavior on the part of the Windows 7 clients.

MS16-072: Security update for Group Policy: June 14, 2016

The following page explains the issues and the corrective measures.

In sum, the "Authenticated Users" and "Domain Computers" group MUST have 
Read Permissions on the Group Policy Object (GPO).

I reported this problem and its solution to this list:

More information about the samba mailing list