[Samba] Installing software via GPO

Stefan Kania stefan at kania-online.de
Mon Nov 15 18:18:09 UTC 2021

Microsoft changed some GPO-permission several years ago. All domain-PC
must be able to read the GPO, otherwise the GPO will never work.
Normally all GPOs assigned to "authenticate users", that includes the
domain-PCs, but as soon as you remove "authentcated users" from the
"securityfilter" the domin-pc can't read the GPO anymore, so you must go
to the "delegation"-Tab and add "domain PC" group with "read"-permission
to the list. see https://support.microsoft.com/kb/3163622 for more
information. But you normally get a warning message as soon as you
remove "authenticated users".

Am 15.11.21 um 17:37 schrieb Patrick Goetz via samba:
> Hi Stefan -
> I think you mean link the GPO to the correct OU? Otherwise, I'm not sure
> what you're talking about. I've never worried about this before other
> than putting the OU link in the right place. Did you mean something else?
> On 11/15/21 10:30, Stefan Kania via samba wrote:
>> Am 15.11.21 um 17:00 schrieb Patrick Goetz via samba:
>>> Hi list -
>>> I experimented with getting software to install on W10 clients using a
>>> GPO, and could not get it to work.  Has anyone used this feature?  Is it
>>> even supposed to work under Samba?  The instructions I cobbled together
>>> from some googling below.  Things like accessibility to the share/etc.
>>> already tested.
>>> -=- Automatically Deploy Software
>>>   - Create a share folder accessible by everyone in which to place .msi
>>> files
>>>   - Create a Security Group for the computers which are to get this
>>> install/update
>>>       - Change the Object Type to allow for computer objects
>>>       - Add computers to this group.
>>>    - GPO
>>>    Computer Configuration -> Policies -> Software Settings -> Software
>>>          Installation
>>>    Right click, New -> Package
>>>    - Add UNC path to package folder and select package to install.
>>>    Remove "Authenticated Users" from Security Filter and add the group
>>> created above.
>> Don't miss the last step:
>> Give domain-pc the right to read the GPO

Stefan Kania
Landweg 13
25693 St. Michaelisdonn

Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre
Privatsphäre. Ein kostenfreies Zertifikat erhalten Sie unter

More information about the samba mailing list