[Samba] Group Policy Permissions
Rowland Penny
rpenny at samba.org
Tue Aug 14 20:51:33 UTC 2018
On Tue, 14 Aug 2018 20:52:04 +0200
Michal Sládek via samba <samba at lists.samba.org> wrote:
> 2018-08-14 20:38 GMT+02:00 Rowland Penny via samba
> <samba at lists.samba.org>:
>
> > On Tue, 14 Aug 2018 20:15:04 +0200
> > Michal Sládek via samba <samba at lists.samba.org> wrote:
> >
> > > Thank you for your suggestion, I read the whole discussion.
> > >
> > > My situation is little bit different - my machine policy works,
> > > but it stops working once I remove Apply permission from
> > > Authenticated Users and replace it with Read and Apply permission
> > > for Domain Computers.
> > >
> > > Group Policy Results in RSAT shows Reason Denied: Access Denied
> > > (Security Filtering) for affected computer.
> > >
> > > The same result I get with command gpresult /Z /SCOPE COMPUTER:
> > >
> > > The following GPOs were not applied because they were
> > > filtered out
> > > -------------------------------------------------------------------
> > > Import CA Certificates Filtering: Denied (Security)
> > >
> > > I don't understand why Domain Computers group is not enough...
> > >
> >
> > That triggered a memory 'MS16-072', see here:
> >
> > https://support.microsoft.com/en-gb/help/3159398/ms16-072-
> > description-of-the-security-update-for-group-policy-june-14-2
> >
> > and here:
> >
> > https://support.microsoft.com/en-gb/help/3163622/ms16-072-
> > security-update-for-group-policy-june-14-2016
> >
> > Also here:
> >
> > https://social.technet.microsoft.com/Forums/windows/
> > en-US/dd21b3cc-d000-48a6-8b35-60ffbbb9fda4/errors-after-
> > ms16072-updates?forum=winserverGP
> >
> > Rowland
> >
>
> I know about those changes, but they affected only user policies
> (context changed from user to computer account while retrieving the
> policy from server).
What is the difference between an AD user and a computer ?
One objectclass -> 'computer'
The 'sAMAccountName' attribute content has a '$' on the end.
That is it.
A computer, when it is logged in, is a member of 'Authenticated Users'
Rowland
More information about the samba
mailing list