[Samba] Group Policy Permissions
Rowland Penny
rpenny at samba.org
Wed Aug 15 16:59:38 UTC 2018
On Wed, 15 Aug 2018 18:34:58 +0200
Michal Sládek via samba <samba at lists.samba.org> wrote:
> 2018-08-15 6:56 GMT+02:00 Michal Sládek <michal at sladkovi.eu>:
>
> > 2018-08-14 22:51 GMT+02:00 Rowland Penny via samba
> > <samba at lists.samba.org> :
> >
> >> On Tue, 14 Aug 2018 20:52:04 +0200
> >> Michal Sládek via samba <samba at lists.samba.org> wrote:
> >>
> >> > 2018-08-14 20:38 GMT+02:00 Rowland Penny via samba
> >> > <samba at lists.samba.org>:
> >> >
> >> > > On Tue, 14 Aug 2018 20:15:04 +0200
> >> > > Michal Sládek via samba <samba at lists.samba.org> wrote:
> >> > >
> >> > > > Thank you for your suggestion, I read the whole discussion.
> >> > > >
> >> > > > My situation is little bit different - my machine policy
> >> > > > works, but it stops working once I remove Apply permission
> >> > > > from Authenticated Users and replace it with Read and Apply
> >> > > > permission for Domain Computers.
> >> > > >
> >> > > > Group Policy Results in RSAT shows Reason Denied: Access
> >> > > > Denied (Security Filtering) for affected computer.
> >> > > >
> >> > > > The same result I get with command gpresult /Z /SCOPE
> >> > > > COMPUTER:
> >> > > >
> >> > > > The following GPOs were not applied because they were
> >> > > > filtered out
> >> > > > -------------------------------------------------------------------
> >> > > > Import CA Certificates Filtering: Denied (Security)
> >> > > >
> >> > > > I don't understand why Domain Computers group is not
> >> > > > enough...
> >> > > >
> >> > >
> >> > > That triggered a memory 'MS16-072', see here:
> >> > >
> >> > > https://support.microsoft.com/en-gb/help/3159398/ms16-072-
> >> > > description-of-the-security-update-for-group-policy-june-14-2
> >> > >
> >> > > and here:
> >> > >
> >> > > https://support.microsoft.com/en-gb/help/3163622/ms16-072-
> >> > > security-update-for-group-policy-june-14-2016
> >> > >
> >> > > Also here:
> >> > >
> >> > > https://social.technet.microsoft.com/Forums/windows/
> >> > > en-US/dd21b3cc-d000-48a6-8b35-60ffbbb9fda4/errors-after-
> >> > > ms16072-updates?forum=winserverGP
> >> > >
> >> > > Rowland
> >> > >
> >> >
> >> > I know about those changes, but they affected only user policies
> >> > (context changed from user to computer account while retrieving
> >> > the policy from server).
> >>
> >> What is the difference between an AD user and a computer ?
> >>
> >> One objectclass -> 'computer'
> >> The 'sAMAccountName' attribute content has a '$' on the end.
> >> That is it.
> >>
> >> A computer, when it is logged in, is a member of 'Authenticated
> >> Users'
> >>
> >> Rowland
> >>
> >
> > That is exactly the reason why I would expect computer
> > configuration group policy to work with Domain Computers group.
> >
> > But your note inspired me to make another test. I changed Security
> > Filtering from Domain Computers group to a computer account, in my
> > case WINMGMT$ (AD\WINMGMT$). And the policy started to work which
> > really makes me crazy. What is the difference? Winmgmt computer is
> > a domain member and so the member of Domain Computers group.
> >
> > Now I really don't understand the behavior. The group policy is
> > linked to the whole domain, I didn't create any custom OU...
> >
> > Michal
> >
>
> Does anybody have any suggestion, why group policies related to
> computer configuration work when Security Filtering is set to
> Authenticated Users or computer account but don't work when Security
> Filtering is set to Domain Computers group? I would really like to
> know, whether this is bug in Samba code or in my brain...
>
> Michal
You don't seem to want accept what I have told you, so I found you yet
another webpage:
https://www.experts-exchange.com/questions/29018822/Been-testing-with-a-GPO-to-deploy-a-certificate-with-a-TEST-OU-How-would-I-apply-it-to-Production-so-that-all-machines-reecive-the-GPO.html
Rowland
More information about the samba
mailing list