[Samba] GPO administration right on the station for ordinary user

Miguel medalha medalist at sapo.pt
Tue Apr 4 10:10:39 UTC 2017

> A good explaination here.
> http://www.mistercloudtech.com/2016/06/22/june-14th-windows-update-changes-group-policy-security-filtering/

Thank you for the info. Perhaps it would be helpful to have this link (and the relevant Microsoft ones?) on the WiKi page. If not, it seems to me that the text recently added by Marc should specify that the permission required for "Authenticated Users" is just "Read", not "Read and Apply", as per the default values for a new policy. As it is, users may be left with the impression that the default is required as it is... which would apply the GPO to all "Authenticated Users". A bit confusing to some?

The text added by Marc states the following: "Verify that the "Authenticated Users" principal is listed in the "Security Filters" list (this is the default)."

In fact, what needs to be verified in order for a policy object to work is the following:

Under the "Delegation" tab, click the "Advanced" button. A "Security Settings" box opens. Verify that "Authenticated Users" has "Read" permission. "Apply group policy" permission is NOT needed unless you specifically need it for your purposes. Alternatively, as per the Microsoft documents, give "Domain Computers" (or specific domain computers) at least "Read" permission.

Thank you, Louis and Marc.

More information about the samba mailing list