samba - Aug 2018 - Group Policy Permissions

2018-08-14 20:38 GMT+02:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Tue, 14 Aug 2018 20:15:04 +0200
> Michal Sládek via samba <samba at lists.samba.org> wrote:
>
> > Thank you for your suggestion, I read the whole discussion.
> >
> > My situation is little bit different - my machine policy works, but it
> > stops working once I remove Apply permission from Authenticated Users
> > and replace it with Read and Apply permission for Domain Computers.
> >
> > Group Policy Results in RSAT shows Reason Denied: Access Denied
> > (Security Filtering) for affected computer.
> >
> > The same result I get with command gpresult /Z /SCOPE COMPUTER:
> >
> >     The following GPOs were not applied because they were filtered out
> >    
-------------------------------------------------------------------
> >         Import CA Certificates
> >             Filtering:  Denied (Security)
> >
> > I don't understand why Domain Computers group is not enough...
> >
>
> That triggered a memory 'MS16-072', see here:
>
> https://support.microsoft.com/en-gb/help/3159398/ms16-072-
> description-of-the-security-update-for-group-policy-june-14-2
>
> and here:
>
> https://support.microsoft.com/en-gb/help/3163622/ms16-072-
> security-update-for-group-policy-june-14-2016
>
> Also here:
>
> https://social.technet.microsoft.com/Forums/windows/
> en-US/dd21b3cc-d000-48a6-8b35-60ffbbb9fda4/errors-after-
> ms16072-updates?forum=winserverGP
>
> Rowland
>
I know about those changes, but they affected only user policies (context
changed from user to computer account while retrieving the policy from
server).

I would appreciate a lot if somebody could test my scenario on Samba AD
domain - create any group policy that affects computer configuration and
set Security Filtering to Domain Computers only.

Michal

On 08/14/2018 02:52 PM, Michal Sládek via samba wrote:
> 2018-08-14 20:38 GMT+02:00 Rowland Penny via samba <samba at
lists.samba.org>:
> 
>> On Tue, 14 Aug 2018 20:15:04 +0200
>> Michal Sládek via samba <samba at lists.samba.org> wrote:
>>
>>> Thank you for your suggestion, I read the whole discussion.
>>>
>>> My situation is little bit different - my machine policy works, but
it
>>> stops working once I remove Apply permission from Authenticated
Users
>>> and replace it with Read and Apply permission for Domain Computers.
>>>
>>> Group Policy Results in RSAT shows Reason Denied: Access Denied
>>> (Security Filtering) for affected computer.
>>>
>>> The same result I get with command gpresult /Z /SCOPE COMPUTER:
>>>
>>>      The following GPOs were not applied because they were filtered
out
>>>     
-------------------------------------------------------------------
>>>          Import CA Certificates
>>>              Filtering:  Denied (Security)
>>>
>>> I don't understand why Domain Computers group is not enough...
>>>
>>
>> That triggered a memory 'MS16-072', see here:
>>
>> https://support.microsoft.com/en-gb/help/3159398/ms16-072-
>> description-of-the-security-update-for-group-policy-june-14-2
>>
>> and here:
>>
>> https://support.microsoft.com/en-gb/help/3163622/ms16-072-
>> security-update-for-group-policy-june-14-2016
>>
>> Also here:
>>
>> https://social.technet.microsoft.com/Forums/windows/
>> en-US/dd21b3cc-d000-48a6-8b35-60ffbbb9fda4/errors-after-
>> ms16072-updates?forum=winserverGP
>>
>> Rowland
>>
> 
> I know about those changes, but they affected only user policies (context
> changed from user to computer account while retrieving the policy from
> server).
> 
> I would appreciate a lot if somebody could test my scenario on Samba AD
> domain - create any group policy that affects computer configuration and
> set Security Filtering to Domain Computers only.
Fedora?
> 
> Michal
>

Servers runs CentOS 7, workstations run Windows 10 Pro with latest updates.

I use Tranquil repo: http://samba.tranquil.it/centos7/stable/x86_64/

The whole domain is new, no migration, everything was set up according
Samba wiki (which is excellent by the way!)

Michal



2018-08-14 21:04 GMT+02:00 Robert Marcano via samba <samba at
lists.samba.org>:
> On 08/14/2018 02:52 PM, Michal Sládek via samba wrote:
>
>> 2018-08-14 20:38 GMT+02:00 Rowland Penny via samba <samba at
lists.samba.org
>> >:
>>
>> On Tue, 14 Aug 2018 20:15:04 +0200
>>> Michal Sládek via samba <samba at lists.samba.org> wrote:
>>>
>>> Thank you for your suggestion, I read the whole discussion.
>>>>
>>>> My situation is little bit different - my machine policy works,
but it
>>>> stops working once I remove Apply permission from Authenticated
Users
>>>> and replace it with Read and Apply permission for Domain
Computers.
>>>>
>>>> Group Policy Results in RSAT shows Reason Denied: Access Denied
>>>> (Security Filtering) for affected computer.
>>>>
>>>> The same result I get with command gpresult /Z /SCOPE COMPUTER:
>>>>
>>>>      The following GPOs were not applied because they were
filtered out
>>>>     
-----------------------------------------------------------
>>>> --------
>>>>          Import CA Certificates
>>>>              Filtering:  Denied (Security)
>>>>
>>>> I don't understand why Domain Computers group is not
enough...
>>>>
>>>>
>>> That triggered a memory 'MS16-072', see here:
>>>
>>> https://support.microsoft.com/en-gb/help/3159398/ms16-072-
>>> description-of-the-security-update-for-group-policy-june-14-2
>>>
>>> and here:
>>>
>>> https://support.microsoft.com/en-gb/help/3163622/ms16-072-
>>> security-update-for-group-policy-june-14-2016
>>>
>>> Also here:
>>>
>>> https://social.technet.microsoft.com/Forums/windows/
>>> en-US/dd21b3cc-d000-48a6-8b35-60ffbbb9fda4/errors-after-
>>> ms16072-updates?forum=winserverGP
>>>
>>> Rowland
>>>
>>>
>> I know about those changes, but they affected only user policies
(context
>> changed from user to computer account while retrieving the policy from
>> server).
>>
>> I would appreciate a lot if somebody could test my scenario on Samba AD
>> domain - create any group policy that affects computer configuration
and
>> set Security Filtering to Domain Computers only.
>>
>
> Fedora?
>
>
>> Michal
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Tue, 14 Aug 2018 20:52:04 +0200
Michal Sládek via samba <samba at lists.samba.org> wrote:
> 2018-08-14 20:38 GMT+02:00 Rowland Penny via samba
> <samba at lists.samba.org>:
> 
> > On Tue, 14 Aug 2018 20:15:04 +0200
> > Michal Sládek via samba <samba at lists.samba.org> wrote:
> >
> > > Thank you for your suggestion, I read the whole discussion.
> > >
> > > My situation is little bit different - my machine policy works,
> > > but it stops working once I remove Apply permission from
> > > Authenticated Users and replace it with Read and Apply permission
> > > for Domain Computers.
> > >
> > > Group Policy Results in RSAT shows Reason Denied: Access Denied
> > > (Security Filtering) for affected computer.
> > >
> > > The same result I get with command gpresult /Z /SCOPE COMPUTER:
> > >
> > >     The following GPOs were not applied because they were
> > > filtered out
> > >
-------------------------------------------------------------------
> > > Import CA Certificates Filtering:  Denied (Security)
> > >
> > > I don't understand why Domain Computers group is not
enough...
> > >
> >
> > That triggered a memory 'MS16-072', see here:
> >
> > https://support.microsoft.com/en-gb/help/3159398/ms16-072-
> > description-of-the-security-update-for-group-policy-june-14-2
> >
> > and here:
> >
> > https://support.microsoft.com/en-gb/help/3163622/ms16-072-
> > security-update-for-group-policy-june-14-2016
> >
> > Also here:
> >
> > https://social.technet.microsoft.com/Forums/windows/
> > en-US/dd21b3cc-d000-48a6-8b35-60ffbbb9fda4/errors-after-
> > ms16072-updates?forum=winserverGP
> >
> > Rowland
> >
> 
> I know about those changes, but they affected only user policies
> (context changed from user to computer account while retrieving the
> policy from server).
What is the difference between an AD user and a computer ?

One objectclass -> 'computer'
The 'sAMAccountName' attribute content has a '$' on the end.
That is it.

A computer, when it is logged in, is a member of 'Authenticated Users'
 
Rowland

2018-08-14 22:51 GMT+02:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Tue, 14 Aug 2018 20:52:04 +0200
> Michal Sládek via samba <samba at lists.samba.org> wrote:
>
> > 2018-08-14 20:38 GMT+02:00 Rowland Penny via samba
> > <samba at lists.samba.org>:
> >
> > > On Tue, 14 Aug 2018 20:15:04 +0200
> > > Michal Sládek via samba <samba at lists.samba.org> wrote:
> > >
> > > > Thank you for your suggestion, I read the whole discussion.
> > > >
> > > > My situation is little bit different - my machine policy
works,
> > > > but it stops working once I remove Apply permission from
> > > > Authenticated Users and replace it with Read and Apply
permission
> > > > for Domain Computers.
> > > >
> > > > Group Policy Results in RSAT shows Reason Denied: Access
Denied
> > > > (Security Filtering) for affected computer.
> > > >
> > > > The same result I get with command gpresult /Z /SCOPE
COMPUTER:
> > > >
> > > >     The following GPOs were not applied because they were
> > > > filtered out
> > > >
-------------------------------------------------------------------
> > > > Import CA Certificates Filtering:  Denied (Security)
> > > >
> > > > I don't understand why Domain Computers group is not
enough...
> > > >
> > >
> > > That triggered a memory 'MS16-072', see here:
> > >
> > > https://support.microsoft.com/en-gb/help/3159398/ms16-072-
> > > description-of-the-security-update-for-group-policy-june-14-2
> > >
> > > and here:
> > >
> > > https://support.microsoft.com/en-gb/help/3163622/ms16-072-
> > > security-update-for-group-policy-june-14-2016
> > >
> > > Also here:
> > >
> > > https://social.technet.microsoft.com/Forums/windows/
> > > en-US/dd21b3cc-d000-48a6-8b35-60ffbbb9fda4/errors-after-
> > > ms16072-updates?forum=winserverGP
> > >
> > > Rowland
> > >
> >
> > I know about those changes, but they affected only user policies
> > (context changed from user to computer account while retrieving the
> > policy from server).
>
> What is the difference between an AD user and a computer ?
>
> One objectclass -> 'computer'
> The 'sAMAccountName' attribute content has a '$' on the
end.
> That is it.
>
> A computer, when it is logged in, is a member of 'Authenticated
Users'
>
> Rowland
>
That is exactly the reason why I would expect computer configuration group
policy to work with Domain Computers group.

But your note inspired me to make another test. I changed Security
Filtering from Domain Computers group to a computer account, in my case
WINMGMT$ (AD\WINMGMT$). And the policy started to work which really makes
me crazy. What is the difference? Winmgmt computer is a domain member and
so the member of Domain Computers group.

Now I really don't understand the behavior. The group policy is linked to
the whole domain, I didn't create any custom OU...

Michal