[Samba] Group Policy Permissions

Michal Sládek michal at sladkovi.eu
Mon Aug 20 08:49:19 UTC 2018

2018-08-15 20:15 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:

> On Wed, 15 Aug 2018 20:06:02 +0200
> Michal Sládek via samba <samba at lists.samba.org> wrote:
> > I really appreciate your effort to help me, I just don't understand
> > suggested solution.
> >
> > My group policy is related to computer configuration, not user
> > configuration. Authenticated Users include both users and computers
> > (once authenticated) so they unnecessarily include users. That's why
> > I would like to use Domain Computers group instead (just to be more
> > restrictive). MS16-072 states: " After MS16-072 is installed, USER
> > group policies are retrieved by using the computer's security
> > context." I suppose that COMPUTER group policies are retrieved by
> > computer's security context too. That's why I expect replacing
> > Authenticated Users with Domain Computers to work. But they don't:-(
> >
> > My computer accounts are placed in the default Computers folder.
> > My group policy is linked to the domain root.
> > I checked SYSVOL permissions and permissions of underlying folders.
> > Everything is readable for Authenticated Users (so computer account
> > should be able to access it after successfull authentication).
> > Everything works when I replace Domain Computers with appropriate
> > computer account (Why? What is the differennce between setting
> > permission to a group or to a specific group member?)
> >
> > I really apologize if I miss something obvious. I just don't get it.
> >
> > Michal
> OK, I give in, my last comment is this, this is not a Samba problem, it
> is an AD GPO problem.
> Go and search the internet on this topic.
> Rowland Penny
> Samba team member

I have configured new AD domain in my VMWare Workstation, this time with
Windows Server 2016 Standard and Windows 10 Pro.
The same group policy (installation of CA certificate) works with Read and
Apply permissions for Domain Computers group and no permissions for
Authenticated Users.
So it seems like a Samba problem to me.


More information about the samba mailing list