[Samba] GPO Filter Group/User

Sebastian Arcus s.arcus at open-t.co.uk
Tue May 30 19:05:51 UTC 2017


On 30/05/17 15:42, Carlos A. P. Cunha via samba wrote:
> Hello!
> 
> My Configuration:
> 
> lsb_release -a
> 
> No LSB modules are available.
> Distributor ID: Ubuntu
> Description:    Ubuntu 14.04.3 LTS
> Release:        14.04
> Codename:       trusty
> 
> Version Samba:
> 
> samba-tool -V
> 4.4.4
> 
> My problem is, create a GPO with group Filtering, in case I want the GPO 
> to be applied only to a specific group.
> When I do this (Filter) it does not load the GPO, only when I leave the 
> default (Authenticated User).
> Is there something wrong with Samba or something different?

I've hit this a few weeks back, and it turns out that it is the default 
behaviour in Active Directory on the Windows side as well - not just 
Samba. Essentially, if you want to do security filtering on GPO's, you 
have to add the desired group or user in the security tab, and then go 
in the Delegation tab, click on Advanced, and remove the "Apply" rights 
for Authenticated Users - but leave the "Read" right in place. You 
should not remove the "Authenticated Users" from the security tab (but 
it will disappear from there when you remove its "Apply" privilege).

The bottom line is that the "Authenticated Users" have to stay in with 
the "Read" permission - otherwise the whole GPO doesn't work.

I hope the above makes sense - as I don't have the UI in front of me, 
and I'm typing from memory.



More information about the samba mailing list