[Samba] Group Policy Permissions

Michal Sládek michal at sladkovi.eu
Wed Aug 15 04:56:46 UTC 2018 

2018-08-14 22:51 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:

> On Tue, 14 Aug 2018 20:52:04 +0200
> Michal Sládek via samba <samba at lists.samba.org> wrote:
>
> > 2018-08-14 20:38 GMT+02:00 Rowland Penny via samba
> > <samba at lists.samba.org>:
> >
> > > On Tue, 14 Aug 2018 20:15:04 +0200
> > > Michal Sládek via samba <samba at lists.samba.org> wrote:
> > >
> > > > Thank you for your suggestion, I read the whole discussion.
> > > >
> > > > My situation is little bit different - my machine policy works,
> > > > but it stops working once I remove Apply permission from
> > > > Authenticated Users and replace it with Read and Apply permission
> > > > for Domain Computers.
> > > >
> > > > Group Policy Results in RSAT shows Reason Denied: Access Denied
> > > > (Security Filtering) for affected computer.
> > > >
> > > > The same result I get with command gpresult /Z /SCOPE COMPUTER:
> > > >
> > > >     The following GPOs were not applied because they were
> > > > filtered out
> > > > -------------------------------------------------------------------
> > > > Import CA Certificates Filtering:  Denied (Security)
> > > >
> > > > I don't understand why Domain Computers group is not enough...
> > > >
> > >
> > > That triggered a memory 'MS16-072', see here:
> > >
> > > https://support.microsoft.com/en-gb/help/3159398/ms16-072-
> > > description-of-the-security-update-for-group-policy-june-14-2
> > >
> > > and here:
> > >
> > > https://support.microsoft.com/en-gb/help/3163622/ms16-072-
> > > security-update-for-group-policy-june-14-2016
> > >
> > > Also here:
> > >
> > > https://social.technet.microsoft.com/Forums/windows/
> > > en-US/dd21b3cc-d000-48a6-8b35-60ffbbb9fda4/errors-after-
> > > ms16072-updates?forum=winserverGP
> > >
> > > Rowland
> > >
> >
> > I know about those changes, but they affected only user policies
> > (context changed from user to computer account while retrieving the
> > policy from server).
>
> What is the difference between an AD user and a computer ?
>
> One objectclass -> 'computer'
> The 'sAMAccountName' attribute content has a '$' on the end.
> That is it.
>
> A computer, when it is logged in, is a member of 'Authenticated Users'
>
> Rowland
>

That is exactly the reason why I would expect computer configuration group
policy to work with Domain Computers group.

But your note inspired me to make another test. I changed Security
Filtering from Domain Computers group to a computer account, in my case
WINMGMT$ (AD\WINMGMT$). And the policy started to work which really makes
me crazy. What is the difference? Winmgmt computer is a domain member and
so the member of Domain Computers group.

Now I really don't understand the behavior. The group policy is linked to
the whole domain, I didn't create any custom OU...

Michal

More information about the samba mailing list