[Samba] Group Policy Permissions
Robert Marcano
robert at marcanoonline.com
Tue Aug 14 19:04:52 UTC 2018
On 08/14/2018 02:52 PM, Michal Sládek via samba wrote:
> 2018-08-14 20:38 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:
>
>> On Tue, 14 Aug 2018 20:15:04 +0200
>> Michal Sládek via samba <samba at lists.samba.org> wrote:
>>
>>> Thank you for your suggestion, I read the whole discussion.
>>>
>>> My situation is little bit different - my machine policy works, but it
>>> stops working once I remove Apply permission from Authenticated Users
>>> and replace it with Read and Apply permission for Domain Computers.
>>>
>>> Group Policy Results in RSAT shows Reason Denied: Access Denied
>>> (Security Filtering) for affected computer.
>>>
>>> The same result I get with command gpresult /Z /SCOPE COMPUTER:
>>>
>>> The following GPOs were not applied because they were filtered out
>>> -------------------------------------------------------------------
>>> Import CA Certificates
>>> Filtering: Denied (Security)
>>>
>>> I don't understand why Domain Computers group is not enough...
>>>
>>
>> That triggered a memory 'MS16-072', see here:
>>
>> https://support.microsoft.com/en-gb/help/3159398/ms16-072-
>> description-of-the-security-update-for-group-policy-june-14-2
>>
>> and here:
>>
>> https://support.microsoft.com/en-gb/help/3163622/ms16-072-
>> security-update-for-group-policy-june-14-2016
>>
>> Also here:
>>
>> https://social.technet.microsoft.com/Forums/windows/
>> en-US/dd21b3cc-d000-48a6-8b35-60ffbbb9fda4/errors-after-
>> ms16072-updates?forum=winserverGP
>>
>> Rowland
>>
>
> I know about those changes, but they affected only user policies (context
> changed from user to computer account while retrieving the policy from
> server).
>
> I would appreciate a lot if somebody could test my scenario on Samba AD
> domain - create any group policy that affects computer configuration and
> set Security Filtering to Domain Computers only.
Fedora?
>
> Michal
>
More information about the samba
mailing list