[Samba] Group Policy Permissions

Michal Sládek michal at sladkovi.eu
Tue Aug 14 18:15:04 UTC 2018

Thank you for your suggestion, I read the whole discussion.

My situation is little bit different - my machine policy works, but it
stops working once I remove Apply permission from Authenticated Users and
replace it with Read and Apply permission for Domain Computers.

Group Policy Results in RSAT shows Reason Denied: Access Denied (Security
Filtering) for affected computer.

The same result I get with command gpresult /Z /SCOPE COMPUTER:

    The following GPOs were not applied because they were filtered out
        Import CA Certificates
            Filtering:  Denied (Security)

I don't understand why Domain Computers group is not enough...


2018-08-14 19:27 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:

> On Tue, 14 Aug 2018 19:07:29 +0200
> Michal Sládek via samba <samba at lists.samba.org> wrote:
> > Hi all!
> >
> > I have a AD domain based on Samba 4.7.6.I created a group policy that
> > installs CA certificate as trusted root CA.
> >
> > The policy works when security filtering is set to Authenticated
> > Users. But when I remove Apply permission of Authenticated Users in
> > Delegation tab (Read permission remains) and add Domain Computers to
> > Security Filtering, policy is not applied anymore.
> >
> > I am a newbe in AD but I thought, that Read and Apply permissions for
> > Domain Computers should be enough if the policy changes computer
> > configuration only. Is that assumption wrong? Or should I look futher
> > for a problem in my Samba configuration?
> >
> > I don't get any errors on my workstation when running
> > gpupdate /force, the policy is just not applied.
> >
> > Any help would be appreciated!
> >
> > Michal
> Reading this thread might help:
> https://lists.samba.org/archive/samba/2018-February/213656.html
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list