Marc Muehlfeld
2017-Apr-03 15:21 UTC
[Samba] GPO administration right on the station for ordinary user
Hi Louis, Am 03.04.2017 um 17:01 schrieb L.P.H. van Belle via samba:> But thats missing info.. :-( > > Maybe its also a good thing to add just after the first picture on the wiki. > That the security filter on the GPO MUST have "authenticated users" or Domain computer group. > You decide.thanks for bringing this up. I will verify this later. I'm 85% sure, I never set a security filter on GPOs. On the other side, it's more than 2 years ago that I wrote this doc and even longer that I implemented restricted groups in a production AD. So it's possible that I'm wrong. :-) I looked at some other guides online that describe restricted groups, but none (incl. the one you posted in this thread) tells about changing the default filter settings. Why do I need this filter and what happens if I don't set it? Regards, Marc
Marc Muehlfeld
2017-Apr-03 16:21 UTC
[Samba] GPO administration right on the station for ordinary user
Am 03.04.2017 um 17:21 schrieb Marc Muehlfeld via samba:> Am 03.04.2017 um 17:01 schrieb L.P.H. van Belle via samba: >> But thats missing info.. :-( >> >> Maybe its also a good thing to add just after the first picture on the >> wiki. >> That the security filter on the GPO MUST have "authenticated users" or >> Domain computer group. >> You decide.I verified the Wiki doc and here it works like described (without setting a filter). I did exactly what is described in the Wiki. To verify, I added a regular domain user to the domain group I set in the GPO, and after I log in as this user on a domain member, this account had local admin permissions. Doesn't this work in your installation? What happens if you don't set the filter? Regards, Marc
Miguel Medalha
2017-Apr-03 19:30 UTC
[Samba] GPO administration right on the station for ordinary user
> I verified the Wiki doc and here it works like described (without > setting a filter). I did exactly what is described in the Wiki. To > verify, I added a regular domain user to the domain group I set in the > GPO, and after I log in as this user on a domain member, this account > had local admin permissions. > > Doesn't this work in your installation? What happens if you don't set > the filter? >Some months ago my GPOs suddenly stopped being applied. After much head scratching I found that a Windows 7 security update had brought a change of behavior on the part of the Windows 7 clients. MS16-072: Security update for Group Policy: June 14, 2016 support.microsoft.com/en-gb/kb/3159398 The following page explains the issues and the corrective measures. support.microsoft.com/en-gb/kb/3163622 In sum, the "Authenticated Users" and "Domain Computers" group MUST have Read Permissions on the Group Policy Object (GPO). I reported this problem and its solution to this list: lists.samba.org/archive/samba/2016-July/201546.html
Miguel Medalha
2017-Apr-03 20:10 UTC
[Samba] GPO administration right on the station for ordinary user
The Wiki page you pointed to describes a modification to the *Default Domain Policy*. This is probably why you never met the issue I described. As I reported on my previous post, the Default Domain Policy was the only one that kept working after the Microsoft update. All the other GPOs that I had set stopped being applied.