[Samba] Group Policy Permissions

Rowland Penny rpenny at samba.org
Wed Aug 15 18:15:09 UTC 2018

On Wed, 15 Aug 2018 20:06:02 +0200
Michal Sládek via samba <samba at lists.samba.org> wrote:

> I really appreciate your effort to help me, I just don't understand
> suggested solution.
> My group policy is related to computer configuration, not user
> configuration. Authenticated Users include both users and computers
> (once authenticated) so they unnecessarily include users. That's why
> I would like to use Domain Computers group instead (just to be more
> restrictive). MS16-072 states: " After MS16-072 is installed, USER
> group policies are retrieved by using the computer's security
> context." I suppose that COMPUTER group policies are retrieved by
> computer's security context too. That's why I expect replacing
> Authenticated Users with Domain Computers to work. But they don't:-(
> My computer accounts are placed in the default Computers folder.
> My group policy is linked to the domain root.
> I checked SYSVOL permissions and permissions of underlying folders.
> Everything is readable for Authenticated Users (so computer account
> should be able to access it after successfull authentication).
> Everything works when I replace Domain Computers with appropriate
> computer account (Why? What is the differennce between setting
> permission to a group or to a specific group member?)
> I really apologize if I miss something obvious. I just don't get it.
> Michal

OK, I give in, my last comment is this, this is not a Samba problem, it
is an AD GPO problem. 

Go and search the internet on this topic.

Rowland Penny
Samba team member

More information about the samba mailing list