On 19/12/16 17:57, Miguel medalha wrote:>>> No, I don't, because this is a loopback and I only want certain >>> users on these computers to have the screensaver and lock disabled. If I did that it would apply to everyone. > No, it wouldn't apply to everyone. As of April this year, according to Microsoft, all policies must have "Authenticated Users" with "Read" privilege. Note that in order to apply a policy you need to have "Read" AND "Apply" under security filtering. >If that is the case, why when "Authenticated users" is in the list, it applies to *every* user on those machines? Right now it behaves as expected but I just won't be able to add more that 6 entities to the list when I finally need to. The 7th one I try to add is *no* different to any of the other's I added before. There also is no option to change anything with regard to "read" or "apply" in security filtering. When it's a loopback policy, according to MS you have to either add either "Domain Computers", a particular computer account, or a group of computer accounts. This works for me, until I will have to add more than 6 groups or accounts! Cheers Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. This email is not intended to, nor should it be taken to, constitute advice. The information provided is correct to our knowledge & belief and must not be used as a substitute for obtaining tax, regulatory, investment, legal or any other appropriate advice. "Transact" is operated by Integrated Financial Arrangements Ltd. 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300. (Registered office: as above; Registered in England and Wales under number: 3727592). Authorised and regulated by the Financial Conduct Authority (entered on the Financial Services Register; no. 190856).
On 19/12/16 18:27, Alex Crow via samba wrote:> > > On 19/12/16 17:57, Miguel medalha wrote: >>>> No, I don't, because this is a loopback and I only want certain >>>> users on these computers to have the screensaver and lock disabled. >>>> If I did that it would apply to everyone. >> No, it wouldn't apply to everyone. As of April this year, according >> to Microsoft, all policies must have "Authenticated Users" with >> "Read" privilege. Note that in order to apply a policy you need to >> have "Read" AND "Apply" under security filtering. >> > > If that is the case, why when "Authenticated users" is in the list, it > applies to *every* user on those machines? Right now it behaves as > expected but I just won't be able to add more that 6 entities to the > list when I finally need to. The 7th one I try to add is *no* > different to any of the other's I added before. > > There also is no option to change anything with regard to "read" or > "apply" in security filtering. > > When it's a loopback policy, according to MS you have to either add > either "Domain Computers", a particular computer account, or a group > of computer accounts. This works for me, until I will have to add more > than 6 groups or accounts! > > Cheers > > Alex > >FYI I just found where to add a particular permission. I tried to add "Read" (not apply) to "Authenticated Users", and got a "Unable to save permission changes on {3729C4F3-A62A-4805-AB02-728CE538BA23}. Access is denied" So I can't even add that permission. Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. This email is not intended to, nor should it be taken to, constitute advice. The information provided is correct to our knowledge & belief and must not be used as a substitute for obtaining tax, regulatory, investment, legal or any other appropriate advice. "Transact" is operated by Integrated Financial Arrangements Ltd. 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300. (Registered office: as above; Registered in England and Wales under number: 3727592). Authorised and regulated by the Financial Conduct Authority (entered on the Financial Services Register; no. 190856).
On 19/12/16 18:27, Alex Crow via samba wrote:> > > On 19/12/16 17:57, Miguel medalha wrote: >>>> No, I don't, because this is a loopback and I only want certain >>>> users on these computers to have the screensaver and lock disabled. >>>> If I did that it would apply to everyone. >> No, it wouldn't apply to everyone. As of April this year, according >> to Microsoft, all policies must have "Authenticated Users" with >> "Read" privilege. Note that in order to apply a policy you need to >> have "Read" AND "Apply" under security filtering. >> > > If that is the case, why when "Authenticated users" is in the list, it > applies to *every* user on those machines? Right now it behaves as > expected but I just won't be able to add more that 6 entities to the > list when I finally need to. The 7th one I try to add is *no* > different to any of the other's I added before. > > There also is no option to change anything with regard to "read" or > "apply" in security filtering. > > When it's a loopback policy, according to MS you have to either add > either "Domain Computers", a particular computer account, or a group > of computer accounts. This works for me, until I will have to add more > than 6 groups or accounts! > > Cheers > > Alex > >Just thinking out loud, could this be because sysvol is on XFS and I didn't tune to allow extra space for xattrs? The FS that contains sysvol was formatted with defaults and is mounted as: rw,relatime,attr2,inode64,noquota Cheers Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. This email is not intended to, nor should it be taken to, constitute advice. The information provided is correct to our knowledge & belief and must not be used as a substitute for obtaining tax, regulatory, investment, legal or any other appropriate advice. "Transact" is operated by Integrated Financial Arrangements Ltd. 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300. (Registered office: as above; Registered in England and Wales under number: 3727592). Authorised and regulated by the Financial Conduct Authority (entered on the Financial Services Register; no. 190856).
>> FYI I just found where to add a particular permission. >> I tried to add "Read" (not apply) to "Authenticated Users", >> and got a "Unable to save permission changes on {3729C4F3-A62A-4805-AB02-728CE538BA23}. >> Access is denied">> So I can't even add that permission.This means that you have another problem somewhere (sysvol permissions?). I can add those permissions alright.