[Samba] Installing software via GPO

Patrick Goetz pgoetz at math.utexas.edu
Mon Nov 15 19:30:07 UTC 2021

Ah, yes. Good point. What I did was create a group for machines that 
need the software installed; removed "Authenticated Users" from the 
security filter, and added this group instead.  One annoying thing 
(which I think is what you're alluding to) is that when you remove 
"Authenticated Users" from the Security filter, it also automatically 
removes "Authenticated Users" from the Delegation tab. You have to 
remember to add "Authenticated Users" back under delegation (with read 
permission only), or, as you point out, the GPO become unreadable by 
every client.  I think they do warn you when you do this, though.

On 11/15/21 12:18, Stefan Kania via samba wrote:
> Microsoft changed some GPO-permission several years ago. All domain-PC
> must be able to read the GPO, otherwise the GPO will never work.
> Normally all GPOs assigned to "authenticate users", that includes the
> domain-PCs, but as soon as you remove "authentcated users" from the
> "securityfilter" the domin-pc can't read the GPO anymore, so you must go
> to the "delegation"-Tab and add "domain PC" group with "read"-permission
> to the list. see https://support.microsoft.com/kb/3163622 for more
> information. But you normally get a warning message as soon as you
> remove "authenticated users".
> Am 15.11.21 um 17:37 schrieb Patrick Goetz via samba:
>> Hi Stefan -
>> I think you mean link the GPO to the correct OU? Otherwise, I'm not sure
>> what you're talking about. I've never worried about this before other
>> than putting the OU link in the right place. Did you mean something else?
>> On 11/15/21 10:30, Stefan Kania via samba wrote:
>>> Am 15.11.21 um 17:00 schrieb Patrick Goetz via samba:
>>>> Hi list -
>>>> I experimented with getting software to install on W10 clients using a
>>>> GPO, and could not get it to work.  Has anyone used this feature?  Is it
>>>> even supposed to work under Samba?  The instructions I cobbled together
>>>> from some googling below.  Things like accessibility to the share/etc.
>>>> already tested.
>>>> -=- Automatically Deploy Software
>>>>    - Create a share folder accessible by everyone in which to place .msi
>>>> files
>>>>    - Create a Security Group for the computers which are to get this
>>>> install/update
>>>>        - Change the Object Type to allow for computer objects
>>>>        - Add computers to this group.
>>>>     - GPO
>>>>     Computer Configuration -> Policies -> Software Settings -> Software
>>>>           Installation
>>>>     Right click, New -> Package
>>>>     - Add UNC path to package folder and select package to install.
>>>>     Remove "Authenticated Users" from Security Filter and add the group
>>>> created above.
>>> Don't miss the last step:
>>> Give domain-pc the right to read the GPO

More information about the samba mailing list