samba - Apr 2017 - GPO administration right on the station for ordinary user

Hi Louis,

Am 03.04.2017 um 17:01 schrieb L.P.H. van Belle via
samba:
> But thats missing info..  :-(
>
> Maybe its also a good thing to add just after the first picture on the
wiki.
> That the security filter on the GPO MUST have "authenticated
users" or Domain computer group.
> You decide.
thanks for bringing this up. I will verify this later.

I'm 85% sure, I never set a security filter on GPOs. On the other side, 
it's more than 2 years ago that I wrote this doc and even longer that I 
implemented restricted groups in a production AD. So it's possible that 
I'm wrong. :-)

I looked at some other guides online that describe restricted groups, 
but none (incl. the one you posted in this thread) tells about changing 
the default filter settings.

Why do I need this filter and what happens if I don't set it?

Regards,
Marc

Am 03.04.2017 um 17:21 schrieb Marc Muehlfeld via samba:
> Am 03.04.2017 um 17:01 schrieb L.P.H. van Belle via samba:
>> But thats missing info..  :-(
>>
>> Maybe its also a good thing to add just after the first picture on the
>> wiki.
>> That the security filter on the GPO MUST have "authenticated
users" or
>> Domain computer group.
>> You decide.
I verified the Wiki doc and here it works like described (without 
setting a filter). I did exactly what is described in the Wiki. To 
verify, I added a regular domain user to the domain group I set in the 
GPO, and after I log in as this user on a domain member, this account 
had local admin permissions.

Doesn't this work in your installation? What happens if you don't set 
the filter?


Regards,
Marc

> I verified the Wiki doc and here it works like described (without 
> setting a filter). I did exactly what is described in the Wiki. To 
> verify, I added a regular domain user to the domain group I set in the 
> GPO, and after I log in as this user on a domain member, this account 
> had local admin permissions.
>
> Doesn't this work in your installation? What happens if you don't
set
> the filter?
>
Some months ago my GPOs suddenly stopped being applied. After much head 
scratching I found that a Windows 7 security update had brought a change 
of behavior on the part of the Windows 7 clients.

MS16-072: Security update for Group Policy: June 14, 2016
https://support.microsoft.com/en-gb/kb/3159398

The following page explains the issues and the corrective measures.
https://support.microsoft.com/en-gb/kb/3163622

In sum, the "Authenticated Users" and "Domain Computers"
group MUST have
Read Permissions on the Group Policy Object (GPO).

I reported this problem and its solution to this list:
https://lists.samba.org/archive/samba/2016-July/201546.html

The Wiki page you pointed to describes a modification to the *Default 
Domain Policy*. This is probably why you never met the issue I 
described. As I reported on my previous post, the Default Domain Policy 
was the only one that kept working after the Microsoft update. All the 
other GPOs that I had set stopped being applied.