[Samba] GPO administration right on the station for ordinary user

Marc Muehlfeld mmuehlfeld at samba.org
Mon Apr 3 21:23:37 UTC 2017

Hi Miguel,

Am 03.04.2017 um 22:10 schrieb Miguel Medalha via samba:
 > MS16-072: Security update for Group Policy: June 14, 2016
 > https://support.microsoft.com/en-gb/kb/3159398
> The Wiki page you pointed to describes a modification to the *Default
> Domain Policy*. This is probably why you never met the issue I
> described. As I reported on my previous post, the Default Domain Policy
> was the only one that kept working after the Microsoft update. All the
> other GPOs that I had set stopped being applied.

Thanks for the details.

I found an interesting blog post from MS support team that explains why 
it is working here:

This part explains it:

 > If permissions on any of the Group Policy Objects in your active
 > Directory domain have not been modified, are using the defaults, and
 > as long as Kerberos authentication is working fine in your Active
 > Directory forest (i.e. there are not Kerberos errors visible in the
 > system event log on client computers while accessing domain
 > resources), there is nothing else you need to make sure before you
 > deploy the security update.
 > In some deployments, administrators may have removed the
 > “Authenticated Users” group from some or all Group Policy Objects
 > (Security filtering, etc.)
 > In such cases, you will need to make sure of the following before you
 > deploy the security update: ...

I verified this with the "Default Domain Policy" and with a new GPO. 
Both had the "Authenticated Users" in the "Security Filters" list by 
default and it worked. I tried it on Win 10 (patchlevel March 2017) and 
on a fresh Win10 Pro 1511 without any further updates. It's the default 
setting, and we didn't tell the reader in the Wiki to change it.

Anyway, it is worth mentioning this in the documentation, so the reader 
verifies the security filter entries. I added an additional step to both 
procedures in the doc.

Louis and Miguel, thanks for bringing this up.


More information about the samba mailing list