Hi list, Very strange problem here on Samba 4.5.2 DCs. We have set up some GPOs and they seem to work fine, however we need to apply some Security Filtering to a couple of them. We can add groups and users until we reach 6 groups/users/computers in the list box in GPO management. As soon as we try to add a 7th entry, GPO Management throws an "Access Denied" error. Even odder is that sometimes if we do this, then delete a previous entry from the list, the most recent one will magically appear. We are managing AD using RSAT tools on Windows 7. Has anyone else come across this problem? Regards Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. This email is not intended to, nor should it be taken to, constitute advice. The information provided is correct to our knowledge & belief and must not be used as a substitute for obtaining tax, regulatory, investment, legal or any other appropriate advice. "Transact" is operated by Integrated Financial Arrangements Ltd. 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300. (Registered office: as above; Registered in England and Wales under number: 3727592). Authorised and regulated by the Financial Conduct Authority (entered on the Financial Services Register; no. 190856).
On 12/19/2016 9:06 AM, Alex Crow via samba wrote:> Hi list, > > Very strange problem here on Samba 4.5.2 DCs. We have set up some GPOs > and they seem to work fine, however we need to apply some Security > Filtering to a couple of them. > > We can add groups and users until we reach 6 groups/users/computers in > the list box in GPO management. As soon as we try to add a 7th entry, > GPO Management throws an "Access Denied" error. Even odder is that > sometimes if we do this, then delete a previous entry from the list, > the most recent one will magically appear. > > We are managing AD using RSAT tools on Windows 7. > > Has anyone else come across this problem? > > Regards > > Alex > > -- > This message is intended only for the addressee and may contain > confidential information. Unless you are that person, you may not > disclose its contents or use it in any way and are requested to delete > the message along with any attachments and notify us immediately. > This email is not intended to, nor should it be taken to, constitute > advice. > The information provided is correct to our knowledge & belief and must > not > be used as a substitute for obtaining tax, regulatory, investment, > legal or > any other appropriate advice. > > "Transact" is operated by Integrated Financial Arrangements Ltd. > 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) > 7608 5300. > (Registered office: as above; Registered in England and Wales under > number: 3727592). Authorised and regulated by the Financial Conduct > Authority (entered on the Financial Services Register; no. 190856). >I'm not sure I follow exactly where you are adding users and groups. Is it within the GPO for item level targeting where you reach a limit? -- - James
Hello Alex, Works fine for me with these versions. ( Debian Jessie ) 4.4.5-3 4.5.2 4.5.3 And same here, win7 64b, with RSAT tools for management. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alex Crow via > samba > Verzonden: maandag 19 december 2016 15:06 > Aan: samba at lists.samba.org > Onderwerp: [Samba] GPO Security Filtering "Access Denied" > > Hi list, > > Very strange problem here on Samba 4.5.2 DCs. We have set up some GPOs > and they seem to work fine, however we need to apply some Security > Filtering to a couple of them. > > We can add groups and users until we reach 6 groups/users/computers in > the list box in GPO management. As soon as we try to add a 7th entry, > GPO Management throws an "Access Denied" error. Even odder is that > sometimes if we do this, then delete a previous entry from the list, the > most recent one will magically appear. > > We are managing AD using RSAT tools on Windows 7. > > Has anyone else come across this problem? > > Regards > > Alex > > -- > This message is intended only for the addressee and may contain > confidential information. Unless you are that person, you may not > disclose its contents or use it in any way and are requested to delete > the message along with any attachments and notify us immediately. > This email is not intended to, nor should it be taken to, constitute > advice. > The information provided is correct to our knowledge & belief and must not > be used as a substitute for obtaining tax, regulatory, investment, legal > or > any other appropriate advice. > > "Transact" is operated by Integrated Financial Arrangements Ltd. > 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 > 5300. > (Registered office: as above; Registered in England and Wales under > number: 3727592). Authorised and regulated by the Financial Conduct > Authority (entered on the Financial Services Register; no. 190856). > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 19/12/16 14:18, L.P.H. van Belle via samba wrote:> Hello Alex, > > Works fine for me with these versions. > > ( Debian Jessie ) > 4.4.5-3 > 4.5.2 > 4.5.3 > > And same here, win7 64b, with RSAT tools for management. > > Greetz, > > Louis > > >Can you try with a user policy applied via loopback to an ou containing machines? This a policy designed to revert a higher level enforcement of screensaver/locking for an ou containing servers, for a subset of those servers and for certain user groups. I'd already added one machine individually and one user group to the Security Filtering list. I needed to add another user group, one individual user and 8 machines - the group, user and the first two machines worked but I couldn't add any more after that. Restarting samba did not help :-( Cheers Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. This email is not intended to, nor should it be taken to, constitute advice. The information provided is correct to our knowledge & belief and must not be used as a substitute for obtaining tax, regulatory, investment, legal or any other appropriate advice. "Transact" is operated by Integrated Financial Arrangements Ltd. 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300. (Registered office: as above; Registered in England and Wales under number: 3727592). Authorised and regulated by the Financial Conduct Authority (entered on the Financial Services Register; no. 190856).
Are you replacing or merging the policies?> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alex Crow via > samba > Verzonden: maandag 19 december 2016 15:29 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] GPO Security Filtering "Access Denied" > > > > On 19/12/16 14:18, L.P.H. van Belle via samba wrote: > > Hello Alex, > > > > Works fine for me with these versions. > > > > ( Debian Jessie ) > > 4.4.5-3 > > 4.5.2 > > 4.5.3 > > > > And same here, win7 64b, with RSAT tools for management. > > > > Greetz, > > > > Louis > > > > > > > > Can you try with a user policy applied via loopback to an ou containing > machines? This a policy designed to revert a higher level enforcement of > screensaver/locking for an ou containing servers, for a subset of those > servers and for certain user groups. > > I'd already added one machine individually and one user group to the > Security Filtering list. I needed to add another user group, one > individual user and 8 machines - the group, user and the first two > machines worked but I couldn't add any more after that. Restarting samba > did not help :-( > > Cheers > > Alex > -- > This message is intended only for the addressee and may contain > confidential information. Unless you are that person, you may not > disclose its contents or use it in any way and are requested to delete > the message along with any attachments and notify us immediately. > This email is not intended to, nor should it be taken to, constitute > advice. > The information provided is correct to our knowledge & belief and must not > be used as a substitute for obtaining tax, regulatory, investment, legal > or > any other appropriate advice. > > "Transact" is operated by Integrated Financial Arrangements Ltd. > 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 > 5300. > (Registered office: as above; Registered in England and Wales under > number: 3727592). Authorised and regulated by the Financial Conduct > Authority (entered on the Financial Services Register; no. 190856). > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
I once had a similar problem and it turned out as this:
A Microsoft security update for Group Policy changed the behavior of clients in
regards to GPOs:
MS16-072: Security update for Group Policy: June 14, 2016
https://support.microsoft.com/en-gb/kb/3159398
The following page explains the issues and the corrective measures.
https://support.microsoft.com/en-gb/kb/3163622
In sum:
Add the Authenticated Users group with Read Permissions to the Group Policy
Object (GPO).
If you are using security filtering, add the Domain Computers group with
read permission.
Apparently Analagous Threads
- GPO Security Filtering "Access Denied"
- GPO Security Filtering "Access Denied"
- ntlmssp_server_postauth: invalid NTLMSSP_MIC on CTDB fileserver (NT-style domain)
- ntlmssp_server_postauth: invalid NTLMSSP_MIC on CTDB fileserver (NT-style domain)
- gpupdate use wrong url