[Samba] GPO Filter Group/User
Miguel Medalha
medalist at sapo.pt
Tue May 30 19:25:42 UTC 2017
> My problem is, create a GPO with group Filtering, in case I want the
> GPO to be applied only to a specific group.
> When I do this (Filter) it does not load the GPO, only when I leave
> the default (Authenticated User).
> Is there something wrong with Samba or something different?
For a GPO to work, Authenticated Users must have "Read" permission.
Please note that in order for the policy to be applied to a specific
group, that group must have "Read" and "Apply group policy" permissions.
So, giving "Read" permission to Authenticated Users does NOT apply the
policy to all Authenticated Users.
Please have a look at the following:
Windows update changes Group Policy Security Filtering (MS16-072)
http://www.mistercloudtech.com/2016/06/22/june-14th-windows-update-changes-group-policy-security-filtering/
What needs to be verified in order for a policy object to work is the
following:
Under the "Delegation" tab, click the "Advanced" button. A "Security
Settings" box opens. Verify that "Authenticated Users" has "Read"
permission. "Apply group policy" permission is NOT needed unless you
specifically need it for your purposes. Alternatively, as per the
Microsoft documents, give "Domain Computers" (or specific domain
computers) at least "Read" permission.
The relevant Microsoft documents are here:
MS16-072: Security update for Group Policy: June 14, 2016
https://support.microsoft.com/en-gb/kb/3159398
The following page explains the issues and the corrective measures
https://support.microsoft.com/en-gb/kb/3163622
More information about the samba
mailing list