Thank you for your suggestion, I read the whole discussion.
My situation is little bit different - my machine policy works, but it
stops working once I remove Apply permission from Authenticated Users and
replace it with Read and Apply permission for Domain Computers.
Group Policy Results in RSAT shows Reason Denied: Access Denied (Security
Filtering) for affected computer.
The same result I get with command gpresult /Z /SCOPE COMPUTER:
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Import CA Certificates
Filtering: Denied (Security)
I don't understand why Domain Computers group is not enough...
Michal
2018-08-14 19:27 GMT+02:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Tue, 14 Aug 2018 19:07:29 +0200
> Michal Sládek via samba <samba at lists.samba.org> wrote:
>
> > Hi all!
> >
> > I have a AD domain based on Samba 4.7.6.I created a group policy that
> > installs CA certificate as trusted root CA.
> >
> > The policy works when security filtering is set to Authenticated
> > Users. But when I remove Apply permission of Authenticated Users in
> > Delegation tab (Read permission remains) and add Domain Computers to
> > Security Filtering, policy is not applied anymore.
> >
> > I am a newbe in AD but I thought, that Read and Apply permissions for
> > Domain Computers should be enough if the policy changes computer
> > configuration only. Is that assumption wrong? Or should I look futher
> > for a problem in my Samba configuration?
> >
> > I don't get any errors on my workstation when running
> > gpupdate /force, the policy is just not applied.
> >
> > Any help would be appreciated!
> >
> > Michal
>
> Reading this thread might help:
>
> https://lists.samba.org/archive/samba/2018-February/213656.html
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
On Tue, 14 Aug 2018 20:15:04 +0200 Michal Sládek via samba <samba at lists.samba.org> wrote:> Thank you for your suggestion, I read the whole discussion. > > My situation is little bit different - my machine policy works, but it > stops working once I remove Apply permission from Authenticated Users > and replace it with Read and Apply permission for Domain Computers. > > Group Policy Results in RSAT shows Reason Denied: Access Denied > (Security Filtering) for affected computer. > > The same result I get with command gpresult /Z /SCOPE COMPUTER: > > The following GPOs were not applied because they were filtered out > ------------------------------------------------------------------- > Import CA Certificates > Filtering: Denied (Security) > > I don't understand why Domain Computers group is not enough... >That triggered a memory 'MS16-072', see here: https://support.microsoft.com/en-gb/help/3159398/ms16-072-description-of-the-security-update-for-group-policy-june-14-2 and here: https://support.microsoft.com/en-gb/help/3163622/ms16-072-security-update-for-group-policy-june-14-2016 Also here: https://social.technet.microsoft.com/Forums/windows/en-US/dd21b3cc-d000-48a6-8b35-60ffbbb9fda4/errors-after-ms16072-updates?forum=winserverGP Rowland
2018-08-14 20:38 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:> On Tue, 14 Aug 2018 20:15:04 +0200 > Michal Sládek via samba <samba at lists.samba.org> wrote: > > > Thank you for your suggestion, I read the whole discussion. > > > > My situation is little bit different - my machine policy works, but it > > stops working once I remove Apply permission from Authenticated Users > > and replace it with Read and Apply permission for Domain Computers. > > > > Group Policy Results in RSAT shows Reason Denied: Access Denied > > (Security Filtering) for affected computer. > > > > The same result I get with command gpresult /Z /SCOPE COMPUTER: > > > > The following GPOs were not applied because they were filtered out > > ------------------------------------------------------------------- > > Import CA Certificates > > Filtering: Denied (Security) > > > > I don't understand why Domain Computers group is not enough... > > > > That triggered a memory 'MS16-072', see here: > > https://support.microsoft.com/en-gb/help/3159398/ms16-072- > description-of-the-security-update-for-group-policy-june-14-2 > > and here: > > https://support.microsoft.com/en-gb/help/3163622/ms16-072- > security-update-for-group-policy-june-14-2016 > > Also here: > > https://social.technet.microsoft.com/Forums/windows/ > en-US/dd21b3cc-d000-48a6-8b35-60ffbbb9fda4/errors-after- > ms16072-updates?forum=winserverGP > > Rowland >I know about those changes, but they affected only user policies (context changed from user to computer account while retrieving the policy from server). I would appreciate a lot if somebody could test my scenario on Samba AD domain - create any group policy that affects computer configuration and set Security Filtering to Domain Computers only. Michal