[Samba] GPO administration right on the station for ordinary user

L.P.H. van Belle belle at bazuin.nl
Tue Apr 4 06:21:48 UTC 2017

Hai Marc, 

Well first, no you did nothing wrong here.
This was fine when you wrote it, but after the BadLock Bug, 
Microsoft change the way some policies are applied. 

A good explaination here.

Best regards, 


> -----Oorspronkelijk bericht-----
> Van: Marc Muehlfeld [mailto:mmuehlfeld at samba.org]
> Verzonden: maandag 3 april 2017 17:22
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] GPO administration right on the station for
> ordinary user
> Hi Louis,
> Am 03.04.2017 um 17:01 schrieb L.P.H. van Belle via samba:
> > But thats missing info..  :-(
> >
> > Maybe its also a good thing to add just after the first picture on the
> wiki.
> > That the security filter on the GPO MUST have "authenticated users" or
> Domain computer group.
> > You decide.
> thanks for bringing this up. I will verify this later.
> I'm 85% sure, I never set a security filter on GPOs. On the other side,
> it's more than 2 years ago that I wrote this doc and even longer that I
> implemented restricted groups in a production AD. So it's possible that
> I'm wrong. :-)
> I looked at some other guides online that describe restricted groups,
> but none (incl. the one you posted in this thread) tells about changing
> the default filter settings.
> Why do I need this filter and what happens if I don't set it?
> Regards,
> Marc

More information about the samba mailing list