[Samba] editing GPO as user X, when user X is used in gpo security filter
- Date: Tue, 14 May 2019 21:53:22 +0200
- From: Kacper Wirski via samba <samba@xxxxxxxxxxxxxxx>
- Subject: [Samba] editing GPO as user X, when user X is used in gpo security filter
I'm using samba 4.9.x compiled from source on centos 7.6
Today I ran into an unknown behaviour before, which I'm not sure if it's
a bug, a feature or.. just "is".
I realised, that I'm unable to edit particular GPOs, with "access
denied" error, when this criteria are met:
- I have user "john" that is a member of "domain admins"
- to any new or existing GPO I explicitly add user "john" to "security
- I'm editing GPO from workstation to which I'm logged in as user "john"
You can substitute "john" for any other username, i.e. it's not tied to
particular account, as long as criteria as above are met.
Things like "wbinfo -i" and getfacl run on any of the GPO return
expected values, all GPO are owned by "domain admins" (both user and group).
What happens is:
I can open GPO to edit, I can try to change something, but whenver I try
to accept changes, there is "access denied" error. To make it clear:
policy is processed by domain clients as it should, and settings are
applied, error is ONLY when editing with the criteria as above. So
"john" will get settings applied, even though he can't edit.
As soon, as I remove "john" from security filter OR log in as another
domain admin, I can edit GPO without error. I'm 100% certain it's not
user "john" fault, as I can as easily reproduce with another user, as
- user that is logged in is member of "domain admins" and is editing GPO
with himself added to GPO security filter
It's not a big issue, and easy to circumvent that's why I'm not even
sure if it's a bug, or maybe a feature. I bumped into this by accident,
as I wanted to test something using my domain admin account and not
different test account and using trial and error pinpointed what caused
gpo edit error.
I tested this using windows 10 and windows 2012 r2 clients with latest
I asked around people using pure microsoft windows 2016 AD DC and they
couldn't reproduce this behaviour.
What I'd like to know if it's something that is expected, or is there an
error in my domain?
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.
To unsubscribe from this list go to the following URL and read the