[Samba] Group Policy Permissions
Michal Sládek
michal at sladkovi.eu
Tue Aug 14 18:52:04 UTC 2018
2018-08-14 20:38 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:
> On Tue, 14 Aug 2018 20:15:04 +0200
> Michal Sládek via samba <samba at lists.samba.org> wrote:
>
> > Thank you for your suggestion, I read the whole discussion.
> >
> > My situation is little bit different - my machine policy works, but it
> > stops working once I remove Apply permission from Authenticated Users
> > and replace it with Read and Apply permission for Domain Computers.
> >
> > Group Policy Results in RSAT shows Reason Denied: Access Denied
> > (Security Filtering) for affected computer.
> >
> > The same result I get with command gpresult /Z /SCOPE COMPUTER:
> >
> > The following GPOs were not applied because they were filtered out
> > -------------------------------------------------------------------
> > Import CA Certificates
> > Filtering: Denied (Security)
> >
> > I don't understand why Domain Computers group is not enough...
> >
>
> That triggered a memory 'MS16-072', see here:
>
> https://support.microsoft.com/en-gb/help/3159398/ms16-072-
> description-of-the-security-update-for-group-policy-june-14-2
>
> and here:
>
> https://support.microsoft.com/en-gb/help/3163622/ms16-072-
> security-update-for-group-policy-june-14-2016
>
> Also here:
>
> https://social.technet.microsoft.com/Forums/windows/
> en-US/dd21b3cc-d000-48a6-8b35-60ffbbb9fda4/errors-after-
> ms16072-updates?forum=winserverGP
>
> Rowland
>
I know about those changes, but they affected only user policies (context
changed from user to computer account while retrieving the policy from
server).
I would appreciate a lot if somebody could test my scenario on Samba AD
domain - create any group policy that affects computer configuration and
set Security Filtering to Domain Computers only.
Michal
More information about the samba
mailing list