[Samba] GPO administration right on the station for ordinary user
L.P.H. van Belle
belle at bazuin.nl
Tue Apr 4 07:13:47 UTC 2017
Hai Marc,
Your welkom, i see you already got the info from Miguel.
( started at the bottem of my e-mails.. sorry for the noise)
And thanks Miguel from me also, great its picked-up now.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: Marc Muehlfeld [mailto:mmuehlfeld at samba.org]
> Verzonden: maandag 3 april 2017 23:24
> Aan: Miguel Medalha; L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] GPO administration right on the station for
> ordinary user
>
> Hi Miguel,
>
> Am 03.04.2017 um 22:10 schrieb Miguel Medalha via samba:
> > MS16-072: Security update for Group Policy: June 14, 2016
> > https://support.microsoft.com/en-gb/kb/3159398
> >
> > The Wiki page you pointed to describes a modification to the *Default
> > Domain Policy*. This is probably why you never met the issue I
> > described. As I reported on my previous post, the Default Domain Policy
> > was the only one that kept working after the Microsoft update. All the
> > other GPOs that I had set stopped being applied.
>
> Thanks for the details.
>
> I found an interesting blog post from MS support team that explains why
> it is working here:
> https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-
> policy-security-update-ms16-072-kb3163622/
>
> This part explains it:
>
> > If permissions on any of the Group Policy Objects in your active
> > Directory domain have not been modified, are using the defaults, and
> > as long as Kerberos authentication is working fine in your Active
> > Directory forest (i.e. there are not Kerberos errors visible in the
> > system event log on client computers while accessing domain
> > resources), there is nothing else you need to make sure before you
> > deploy the security update.
> >
> > In some deployments, administrators may have removed the
> > “Authenticated Users” group from some or all Group Policy Objects
> > (Security filtering, etc.)
> >
> > In such cases, you will need to make sure of the following before you
> > deploy the security update: ...
>
> I verified this with the "Default Domain Policy" and with a new GPO.
> Both had the "Authenticated Users" in the "Security Filters" list by
> default and it worked. I tried it on Win 10 (patchlevel March 2017) and
> on a fresh Win10 Pro 1511 without any further updates. It's the default
> setting, and we didn't tell the reader in the Wiki to change it.
>
> Anyway, it is worth mentioning this in the documentation, so the reader
> verifies the security filter entries. I added an additional step to both
> procedures in the doc.
>
> Louis and Miguel, thanks for bringing this up.
>
>
> Regards,
> Marc
More information about the samba
mailing list