samba - Feb 2019 - GPO permissions

Hi all,

Just another GPO Permissions question.

I'm trying to track down why some GPOs are essentially invisible to the
clients, even though they exist in GPM and the files exist.  So, they
aren't being applied or denied.  What's the current wisdom on GPO
ownership?

In GPM, the applicable object is "owned" by Domain Admins, but the
\\DC\sysvol\SAMDOM\Policies\{UUID} should be owned by root (via FS side)
and SAMDOM\Administrator?

For some reason, I've got a mix of root:SAMDOM\domain admins,
root:BUILTIN\administrators, and 3000010:SAMDOM\domain admins on the FS
side.  This last one (300010) is SAMDOM\Domain Admins, from GPM.

Thanks,
-Kris






Kris Lou
klou at themusiclink.net

>
>
> I'm trying to track down why some GPOs are essentially invisible to the
> clients, even though they exist in GPM and the files exist.  So, they
> aren't being applied or denied.
>
Replying to myself:

The above seems to be related to both User and Computer GPO's being pulled
down by the Computer's context.  As such, the Domain Computers (or
Authenticated Users) need to have Read access to the GPO on the Delegation
tab.  Otherwise, it's "essentially invisible."

https://community.spiceworks.com/topic/1706100-group-policy-won-t-apply-without-authenticated-users?page=1#entry-5985648