Web lists-archives.com

Re: [Samba] Group Policy Permissions




2018-08-15 18:59 GMT+02:00 Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>:

> On Wed, 15 Aug 2018 18:34:58 +0200
> Michal Sládek via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
> > 2018-08-15 6:56 GMT+02:00 Michal Sládek <michal@xxxxxxxxxxx>:
> >
> > > 2018-08-14 22:51 GMT+02:00 Rowland Penny via samba
> > > <samba@xxxxxxxxxxxxxxx> :
> > >
> > >> On Tue, 14 Aug 2018 20:52:04 +0200
> > >> Michal Sládek via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > >>
> > >> > 2018-08-14 20:38 GMT+02:00 Rowland Penny via samba
> > >> > <samba@xxxxxxxxxxxxxxx>:
> > >> >
> > >> > > On Tue, 14 Aug 2018 20:15:04 +0200
> > >> > > Michal Sládek via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > >> > >
> > >> > > > Thank you for your suggestion, I read the whole discussion.
> > >> > > >
> > >> > > > My situation is little bit different - my machine policy
> > >> > > > works, but it stops working once I remove Apply permission
> > >> > > > from Authenticated Users and replace it with Read and Apply
> > >> > > > permission for Domain Computers.
> > >> > > >
> > >> > > > Group Policy Results in RSAT shows Reason Denied: Access
> > >> > > > Denied (Security Filtering) for affected computer.
> > >> > > >
> > >> > > > The same result I get with command gpresult /Z /SCOPE
> > >> > > > COMPUTER:
> > >> > > >
> > >> > > >     The following GPOs were not applied because they were
> > >> > > > filtered out
> > >> > > > ------------------------------------------------------------
> -------
> > >> > > > Import CA Certificates Filtering:  Denied (Security)
> > >> > > >
> > >> > > > I don't understand why Domain Computers group is not
> > >> > > > enough...
> > >> > > >
> > >> > >
> > >> > > That triggered a memory 'MS16-072', see here:
> > >> > >
> > >> > > https://support.microsoft.com/en-gb/help/3159398/ms16-072-
> > >> > > description-of-the-security-update-for-group-policy-june-14-2
> > >> > >
> > >> > > and here:
> > >> > >
> > >> > > https://support.microsoft.com/en-gb/help/3163622/ms16-072-
> > >> > > security-update-for-group-policy-june-14-2016
> > >> > >
> > >> > > Also here:
> > >> > >
> > >> > > https://social.technet.microsoft.com/Forums/windows/
> > >> > > en-US/dd21b3cc-d000-48a6-8b35-60ffbbb9fda4/errors-after-
> > >> > > ms16072-updates?forum=winserverGP
> > >> > >
> > >> > > Rowland
> > >> > >
> > >> >
> > >> > I know about those changes, but they affected only user policies
> > >> > (context changed from user to computer account while retrieving
> > >> > the policy from server).
> > >>
> > >> What is the difference between an AD user and a computer ?
> > >>
> > >> One objectclass -> 'computer'
> > >> The 'sAMAccountName' attribute content has a '$' on the end.
> > >> That is it.
> > >>
> > >> A computer, when it is logged in, is a member of 'Authenticated
> > >> Users'
> > >>
> > >> Rowland
> > >>
> > >
> > > That is exactly the reason why I would expect computer
> > > configuration group policy to work with Domain Computers group.
> > >
> > > But your note inspired me to make another test. I changed Security
> > > Filtering from Domain Computers group to a computer account, in my
> > > case WINMGMT$ (AD\WINMGMT$). And the policy started to work which
> > > really makes me crazy. What is the difference? Winmgmt computer is
> > > a domain member and so the member of Domain Computers group.
> > >
> > > Now I really don't understand the behavior. The group policy is
> > > linked to the whole domain, I didn't create any custom OU...
> > >
> > > Michal
> > >
> >
> > Does anybody have any suggestion, why group policies related to
> > computer configuration work when Security Filtering is set to
> > Authenticated Users or computer account but don't work when Security
> > Filtering is set to Domain Computers group? I would really like to
> > know, whether this is bug in Samba code or in my brain...
> >
> > Michal
>
> You don't seem to want accept what I have told you, so I found you yet
> another webpage:
>
> https://www.experts-exchange.com/questions/29018822/Been-tes
> ting-with-a-GPO-to-deploy-a-certificate-with-a-TEST-OU-How-w
> ould-I-apply-it-to-Production-so-that-all-machines-reecive-the-GPO.html
>
> Rowland
>

I really appreciate your effort to help me, I just don't understand
suggested solution.

My group policy is related to computer configuration, not user
configuration. Authenticated Users include both users and computers (once
authenticated) so they unnecessarily include users. That's why I would like
to use Domain Computers group instead (just to be more restrictive).
MS16-072 states: " After MS16-072 is installed, USER group policies are
retrieved by using the computer's security context." I suppose that
COMPUTER group policies are retrieved by computer's security context too.
That's why I expect replacing Authenticated Users with Domain Computers to
work. But they don't:-(

My computer accounts are placed in the default Computers folder.
My group policy is linked to the domain root.
I checked SYSVOL permissions and permissions of underlying folders.
Everything is readable for Authenticated Users (so computer account should
be able to access it after successfull authentication).
Everything works when I replace Domain Computers with appropriate computer
account (Why? What is the differennce between setting permission to a group
or to a specific group member?)

I really apologize if I miss something obvious. I just don't get it.

Michal
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba