[Samba] GPO Filter Group/User
Sebastian Arcus
s.arcus at open-t.co.uk
Tue May 30 19:05:51 UTC 2017
On 30/05/17 15:42, Carlos A. P. Cunha via samba wrote:
> Hello!
>
> My Configuration:
>
> lsb_release -a
>
> No LSB modules are available.
> Distributor ID: Ubuntu
> Description: Ubuntu 14.04.3 LTS
> Release: 14.04
> Codename: trusty
>
> Version Samba:
>
> samba-tool -V
> 4.4.4
>
> My problem is, create a GPO with group Filtering, in case I want the GPO
> to be applied only to a specific group.
> When I do this (Filter) it does not load the GPO, only when I leave the
> default (Authenticated User).
> Is there something wrong with Samba or something different?
I've hit this a few weeks back, and it turns out that it is the default
behaviour in Active Directory on the Windows side as well - not just
Samba. Essentially, if you want to do security filtering on GPO's, you
have to add the desired group or user in the security tab, and then go
in the Delegation tab, click on Advanced, and remove the "Apply" rights
for Authenticated Users - but leave the "Read" right in place. You
should not remove the "Authenticated Users" from the security tab (but
it will disappear from there when you remove its "Apply" privilege).
The bottom line is that the "Authenticated Users" have to stay in with
the "Read" permission - otherwise the whole GPO doesn't work.
I hope the above makes sense - as I don't have the UI in front of me,
and I'm typing from memory.
More information about the samba
mailing list