[Samba] GPO administration right on the station for ordinary user

L.P.H. van Belle belle at bazuin.nl
Tue Apr 4 07:13:47 UTC 2017

Hai Marc, 

Your welkom, i see you already got the info from Miguel. 
( started at the bottem of my e-mails.. sorry for the noise) 

And thanks Miguel from me also, great its picked-up now.



> -----Oorspronkelijk bericht-----
> Van: Marc Muehlfeld [mailto:mmuehlfeld at samba.org]
> Verzonden: maandag 3 april 2017 23:24
> Aan: Miguel Medalha; L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] GPO administration right on the station for
> ordinary user
> Hi Miguel,
> Am 03.04.2017 um 22:10 schrieb Miguel Medalha via samba:
>  > MS16-072: Security update for Group Policy: June 14, 2016
>  > https://support.microsoft.com/en-gb/kb/3159398
>  >
> > The Wiki page you pointed to describes a modification to the *Default
> > Domain Policy*. This is probably why you never met the issue I
> > described. As I reported on my previous post, the Default Domain Policy
> > was the only one that kept working after the Microsoft update. All the
> > other GPOs that I had set stopped being applied.
> Thanks for the details.
> I found an interesting blog post from MS support team that explains why
> it is working here:
> https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-
> policy-security-update-ms16-072-kb3163622/
> This part explains it:
>  > If permissions on any of the Group Policy Objects in your active
>  > Directory domain have not been modified, are using the defaults, and
>  > as long as Kerberos authentication is working fine in your Active
>  > Directory forest (i.e. there are not Kerberos errors visible in the
>  > system event log on client computers while accessing domain
>  > resources), there is nothing else you need to make sure before you
>  > deploy the security update.
>  >
>  > In some deployments, administrators may have removed the
>  > “Authenticated Users” group from some or all Group Policy Objects
>  > (Security filtering, etc.)
>  >
>  > In such cases, you will need to make sure of the following before you
>  > deploy the security update: ...
> I verified this with the "Default Domain Policy" and with a new GPO.
> Both had the "Authenticated Users" in the "Security Filters" list by
> default and it worked. I tried it on Win 10 (patchlevel March 2017) and
> on a fresh Win10 Pro 1511 without any further updates. It's the default
> setting, and we didn't tell the reader in the Wiki to change it.
> Anyway, it is worth mentioning this in the documentation, so the reader
> verifies the security filter entries. I added an additional step to both
> procedures in the doc.
> Louis and Miguel, thanks for bringing this up.
> Regards,
> Marc

More information about the samba mailing list