[Samba] [OT?] 'negative' GPOs for local user?!

Rowland Penny rpenny at samba.org
Mon Mar 5 12:13:37 UTC 2018

On Mon, 5 Mar 2018 12:52:52 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:

> I'm trying to define the GPOs on my new AD domain, and i'm a little
> confused.
> I've never worked with AD, but i've extensively used MLGPO, where i
> can explicitly apply GPOs to users/groups.
> Two examples, of my confusion.
> 1) i've setup password policies (8 chars, 5-row password history,
>  ...), and this is a ''computer'' policy, that apply... to
> computers. ;-) But... there's some way to have domain computer policy
> apply ony to... domain users, and not local one?!

All your domain users will be members of Domain Users, any 'local
users' will be just that, local users and as such, not part of the
domain, so domain GPOs will not apply to them.

> 2) i've setup also user policy, eg, the profile (enabled and set a
>  quota). Also this seems to apply to all users, also local ones.

If a GPO applies to your 'local users', they are not local users, they
are domain users.
> For that i've found (many!) article like that:
> 	http://www.grouppolicy.biz/2010/05/how-to-apply-a-group-policy-object-to-individual-users-or-computer/
> and so seems to me that 'Authenticated User' apply to all users, also
> local one.
> It is safe to remove policy 'apply' to 'Authenticated User' and add an
> ACL for, eg, 'Domain Users' group? Or i'm really missing something?!

You probably could, but all 'Authenticated Users' will be domain
members and as such will also be members of the 'Domain Users' group,
so why bother.

I feel that you haven't  explained your set up very well, especially
your 'local users'.


More information about the samba mailing list