[Samba] GPO Filter Group/User

Elias Pereira empbilly at gmail.com
Thu Jun 1 20:38:51 UTC 2017


Try to execute on the DC
 samba-tool ntacl sysvolreset
and after that verify if GPO is applied.

Em 1 de jun de 2017 11:05, "Carlos A. P. Cunha via samba" <
samba at lists.samba.org> escreveu:

Hello!

A Sharing mapping GPO, which I only want to work when the user is in the X
group.
But it only works when I apply the filter with "Authenticated Users"
(Default), when mute for user / group specific does not work.
On windows with "gpresult / r" the gpo does not look as loaded.

Regards



Em 01-06-2017 08:05, Sebastian Arcus via samba escreveu:

> On 31/05/17 22:26, Carlos A. P. Cunha wrote:
>
>> Hello!
>>
>> Thanks.
>>
>> I'm trying but still unsuccessful .....
>>
>
> Is this a computer or a user GPO?
>
>
>
>>
>> Em 30-05-2017 16:05, Sebastian Arcus via samba escreveu:
>>
>>>
>>> On 30/05/17 15:42, Carlos A. P. Cunha via samba wrote:
>>>
>>>> Hello!
>>>>
>>>> My Configuration:
>>>>
>>>> lsb_release -a
>>>>
>>>> No LSB modules are available.
>>>> Distributor ID: Ubuntu
>>>> Description:    Ubuntu 14.04.3 LTS
>>>> Release:        14.04
>>>> Codename:       trusty
>>>>
>>>> Version Samba:
>>>>
>>>> samba-tool -V
>>>> 4.4.4
>>>>
>>>> My problem is, create a GPO with group Filtering, in case I want the
>>>> GPO to be applied only to a specific group.
>>>> When I do this (Filter) it does not load the GPO, only when I leave the
>>>> default (Authenticated User).
>>>> Is there something wrong with Samba or something different?
>>>>
>>>
>>> I've hit this a few weeks back, and it turns out that it is the default
>>> behaviour in Active Directory on the Windows side as well - not just Samba.
>>> Essentially, if you want to do security filtering on GPO's, you have to add
>>> the desired group or user in the security tab, and then go in the
>>> Delegation tab, click on Advanced, and remove the "Apply" rights for
>>> Authenticated Users - but leave the "Read" right in place. You should not
>>> remove the "Authenticated Users" from the security tab (but it will
>>> disappear from there when you remove its "Apply" privilege).
>>>
>>> The bottom line is that the "Authenticated Users" have to stay in with
>>> the "Read" permission - otherwise the whole GPO doesn't work.
>>>
>>> I hope the above makes sense - as I don't have the UI in front of me,
>>> and I'm typing from memory.
>>>
>>>
>>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list