Web lists-archives.com

Re: [Samba] Group Policy Permissions




On 08/14/2018 02:52 PM, Michal Sládek via samba wrote:
2018-08-14 20:38 GMT+02:00 Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>:

On Tue, 14 Aug 2018 20:15:04 +0200
Michal Sládek via samba <samba@xxxxxxxxxxxxxxx> wrote:

Thank you for your suggestion, I read the whole discussion.

My situation is little bit different - my machine policy works, but it
stops working once I remove Apply permission from Authenticated Users
and replace it with Read and Apply permission for Domain Computers.

Group Policy Results in RSAT shows Reason Denied: Access Denied
(Security Filtering) for affected computer.

The same result I get with command gpresult /Z /SCOPE COMPUTER:

     The following GPOs were not applied because they were filtered out
     -------------------------------------------------------------------
         Import CA Certificates
             Filtering:  Denied (Security)

I don't understand why Domain Computers group is not enough...


That triggered a memory 'MS16-072', see here:

https://support.microsoft.com/en-gb/help/3159398/ms16-072-
description-of-the-security-update-for-group-policy-june-14-2

and here:

https://support.microsoft.com/en-gb/help/3163622/ms16-072-
security-update-for-group-policy-june-14-2016

Also here:

https://social.technet.microsoft.com/Forums/windows/
en-US/dd21b3cc-d000-48a6-8b35-60ffbbb9fda4/errors-after-
ms16072-updates?forum=winserverGP

Rowland


I know about those changes, but they affected only user policies (context
changed from user to computer account while retrieving the policy from
server).

I would appreciate a lot if somebody could test my scenario on Samba AD
domain - create any group policy that affects computer configuration and
set Security Filtering to Domain Computers only.

Fedora?


Michal



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba