[Samba] Group Policy Permissions

Michal Sládek michal at sladkovi.eu
Tue Aug 14 19:11:47 UTC 2018 

Servers runs CentOS 7, workstations run Windows 10 Pro with latest updates.

I use Tranquil repo: http://samba.tranquil.it/centos7/stable/x86_64/

The whole domain is new, no migration, everything was set up according
Samba wiki (which is excellent by the way!)

Michal



2018-08-14 21:04 GMT+02:00 Robert Marcano via samba <samba at lists.samba.org>:

> On 08/14/2018 02:52 PM, Michal Sládek via samba wrote:
>
>> 2018-08-14 20:38 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org
>> >:
>>
>> On Tue, 14 Aug 2018 20:15:04 +0200
>>> Michal Sládek via samba <samba at lists.samba.org> wrote:
>>>
>>> Thank you for your suggestion, I read the whole discussion.
>>>>
>>>> My situation is little bit different - my machine policy works, but it
>>>> stops working once I remove Apply permission from Authenticated Users
>>>> and replace it with Read and Apply permission for Domain Computers.
>>>>
>>>> Group Policy Results in RSAT shows Reason Denied: Access Denied
>>>> (Security Filtering) for affected computer.
>>>>
>>>> The same result I get with command gpresult /Z /SCOPE COMPUTER:
>>>>
>>>>      The following GPOs were not applied because they were filtered out
>>>>      -----------------------------------------------------------
>>>> --------
>>>>          Import CA Certificates
>>>>              Filtering:  Denied (Security)
>>>>
>>>> I don't understand why Domain Computers group is not enough...
>>>>
>>>>
>>> That triggered a memory 'MS16-072', see here:
>>>
>>> https://support.microsoft.com/en-gb/help/3159398/ms16-072-
>>> description-of-the-security-update-for-group-policy-june-14-2
>>>
>>> and here:
>>>
>>> https://support.microsoft.com/en-gb/help/3163622/ms16-072-
>>> security-update-for-group-policy-june-14-2016
>>>
>>> Also here:
>>>
>>> https://social.technet.microsoft.com/Forums/windows/
>>> en-US/dd21b3cc-d000-48a6-8b35-60ffbbb9fda4/errors-after-
>>> ms16072-updates?forum=winserverGP
>>>
>>> Rowland
>>>
>>>
>> I know about those changes, but they affected only user policies (context
>> changed from user to computer account while retrieving the policy from
>> server).
>>
>> I would appreciate a lot if somebody could test my scenario on Samba AD
>> domain - create any group policy that affects computer configuration and
>> set Security Filtering to Domain Computers only.
>>
>
> Fedora?
>
>
>> Michal
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list