[Samba] GPO Filter Group/User

Carlos A. P. Cunha carlos.hollow at gmail.com
Thu Jun 1 14:00:47 UTC 2017 

Hello!

A Sharing mapping GPO, which I only want to work when the user is in the 
X group.
But it only works when I apply the filter with "Authenticated Users" 
(Default), when mute for user / group specific does not work.
On windows with "gpresult / r" the gpo does not look as loaded.

Regards


Em 01-06-2017 08:05, Sebastian Arcus via samba escreveu:
> On 31/05/17 22:26, Carlos A. P. Cunha wrote:
>> Hello!
>>
>> Thanks.
>>
>> I'm trying but still unsuccessful .....
>
> Is this a computer or a user GPO?
>
>
>>
>>
>> Em 30-05-2017 16:05, Sebastian Arcus via samba escreveu:
>>>
>>> On 30/05/17 15:42, Carlos A. P. Cunha via samba wrote:
>>>> Hello!
>>>>
>>>> My Configuration:
>>>>
>>>> lsb_release -a
>>>>
>>>> No LSB modules are available.
>>>> Distributor ID: Ubuntu
>>>> Description:    Ubuntu 14.04.3 LTS
>>>> Release:        14.04
>>>> Codename:       trusty
>>>>
>>>> Version Samba:
>>>>
>>>> samba-tool -V
>>>> 4.4.4
>>>>
>>>> My problem is, create a GPO with group Filtering, in case I want 
>>>> the GPO to be applied only to a specific group.
>>>> When I do this (Filter) it does not load the GPO, only when I leave 
>>>> the default (Authenticated User).
>>>> Is there something wrong with Samba or something different?
>>>
>>> I've hit this a few weeks back, and it turns out that it is the 
>>> default behaviour in Active Directory on the Windows side as well - 
>>> not just Samba. Essentially, if you want to do security filtering on 
>>> GPO's, you have to add the desired group or user in the security 
>>> tab, and then go in the Delegation tab, click on Advanced, and 
>>> remove the "Apply" rights for Authenticated Users - but leave the 
>>> "Read" right in place. You should not remove the "Authenticated 
>>> Users" from the security tab (but it will disappear from there when 
>>> you remove its "Apply" privilege).
>>>
>>> The bottom line is that the "Authenticated Users" have to stay in 
>>> with the "Read" permission - otherwise the whole GPO doesn't work.
>>>
>>> I hope the above makes sense - as I don't have the UI in front of 
>>> me, and I'm typing from memory.
>>>
>>
>

More information about the samba mailing list