Web lists-archives.com

Re: [Samba] GPO administration right on the station for ordinary user




Hi Miguel,

Am 03.04.2017 um 22:10 schrieb Miguel Medalha via samba:
> MS16-072: Security update for Group Policy: June 14, 2016
> https://support.microsoft.com/en-gb/kb/3159398
>
The Wiki page you pointed to describes a modification to the *Default
Domain Policy*. This is probably why you never met the issue I
described. As I reported on my previous post, the Default Domain Policy
was the only one that kept working after the Microsoft update. All the
other GPOs that I had set stopped being applied.

Thanks for the details.

I found an interesting blog post from MS support team that explains why it is working here:
https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/

This part explains it:

> If permissions on any of the Group Policy Objects in your active
> Directory domain have not been modified, are using the defaults, and
> as long as Kerberos authentication is working fine in your Active
> Directory forest (i.e. there are not Kerberos errors visible in the
> system event log on client computers while accessing domain
> resources), there is nothing else you need to make sure before you
> deploy the security update.
>
> In some deployments, administrators may have removed the
> “Authenticated Users” group from some or all Group Policy Objects
> (Security filtering, etc.)
>
> In such cases, you will need to make sure of the following before you
> deploy the security update: ...

I verified this with the "Default Domain Policy" and with a new GPO. Both had the "Authenticated Users" in the "Security Filters" list by default and it worked. I tried it on Win 10 (patchlevel March 2017) and on a fresh Win10 Pro 1511 without any further updates. It's the default setting, and we didn't tell the reader in the Wiki to change it.

Anyway, it is worth mentioning this in the documentation, so the reader verifies the security filter entries. I added an additional step to both procedures in the doc.

Louis and Miguel, thanks for bringing this up.


Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba