2018-08-14 22:51 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:> On Tue, 14 Aug 2018 20:52:04 +0200 > Michal Sládek via samba <samba at lists.samba.org> wrote: > > > 2018-08-14 20:38 GMT+02:00 Rowland Penny via samba > > <samba at lists.samba.org>: > > > > > On Tue, 14 Aug 2018 20:15:04 +0200 > > > Michal Sládek via samba <samba at lists.samba.org> wrote: > > > > > > > Thank you for your suggestion, I read the whole discussion. > > > > > > > > My situation is little bit different - my machine policy works, > > > > but it stops working once I remove Apply permission from > > > > Authenticated Users and replace it with Read and Apply permission > > > > for Domain Computers. > > > > > > > > Group Policy Results in RSAT shows Reason Denied: Access Denied > > > > (Security Filtering) for affected computer. > > > > > > > > The same result I get with command gpresult /Z /SCOPE COMPUTER: > > > > > > > > The following GPOs were not applied because they were > > > > filtered out > > > > ------------------------------------------------------------------- > > > > Import CA Certificates Filtering: Denied (Security) > > > > > > > > I don't understand why Domain Computers group is not enough... > > > > > > > > > > That triggered a memory 'MS16-072', see here: > > > > > > https://support.microsoft.com/en-gb/help/3159398/ms16-072- > > > description-of-the-security-update-for-group-policy-june-14-2 > > > > > > and here: > > > > > > https://support.microsoft.com/en-gb/help/3163622/ms16-072- > > > security-update-for-group-policy-june-14-2016 > > > > > > Also here: > > > > > > https://social.technet.microsoft.com/Forums/windows/ > > > en-US/dd21b3cc-d000-48a6-8b35-60ffbbb9fda4/errors-after- > > > ms16072-updates?forum=winserverGP > > > > > > Rowland > > > > > > > I know about those changes, but they affected only user policies > > (context changed from user to computer account while retrieving the > > policy from server). > > What is the difference between an AD user and a computer ? > > One objectclass -> 'computer' > The 'sAMAccountName' attribute content has a '$' on the end. > That is it. > > A computer, when it is logged in, is a member of 'Authenticated Users' > > Rowland >That is exactly the reason why I would expect computer configuration group policy to work with Domain Computers group. But your note inspired me to make another test. I changed Security Filtering from Domain Computers group to a computer account, in my case WINMGMT$ (AD\WINMGMT$). And the policy started to work which really makes me crazy. What is the difference? Winmgmt computer is a domain member and so the member of Domain Computers group. Now I really don't understand the behavior. The group policy is linked to the whole domain, I didn't create any custom OU... Michal
2018-08-15 6:56 GMT+02:00 Michal Sládek <michal at sladkovi.eu>:> 2018-08-14 22:51 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org> > : > >> On Tue, 14 Aug 2018 20:52:04 +0200 >> Michal Sládek via samba <samba at lists.samba.org> wrote: >> >> > 2018-08-14 20:38 GMT+02:00 Rowland Penny via samba >> > <samba at lists.samba.org>: >> > >> > > On Tue, 14 Aug 2018 20:15:04 +0200 >> > > Michal Sládek via samba <samba at lists.samba.org> wrote: >> > > >> > > > Thank you for your suggestion, I read the whole discussion. >> > > > >> > > > My situation is little bit different - my machine policy works, >> > > > but it stops working once I remove Apply permission from >> > > > Authenticated Users and replace it with Read and Apply permission >> > > > for Domain Computers. >> > > > >> > > > Group Policy Results in RSAT shows Reason Denied: Access Denied >> > > > (Security Filtering) for affected computer. >> > > > >> > > > The same result I get with command gpresult /Z /SCOPE COMPUTER: >> > > > >> > > > The following GPOs were not applied because they were >> > > > filtered out >> > > > ------------------------------------------------------------------- >> > > > Import CA Certificates Filtering: Denied (Security) >> > > > >> > > > I don't understand why Domain Computers group is not enough... >> > > > >> > > >> > > That triggered a memory 'MS16-072', see here: >> > > >> > > https://support.microsoft.com/en-gb/help/3159398/ms16-072- >> > > description-of-the-security-update-for-group-policy-june-14-2 >> > > >> > > and here: >> > > >> > > https://support.microsoft.com/en-gb/help/3163622/ms16-072- >> > > security-update-for-group-policy-june-14-2016 >> > > >> > > Also here: >> > > >> > > https://social.technet.microsoft.com/Forums/windows/ >> > > en-US/dd21b3cc-d000-48a6-8b35-60ffbbb9fda4/errors-after- >> > > ms16072-updates?forum=winserverGP >> > > >> > > Rowland >> > > >> > >> > I know about those changes, but they affected only user policies >> > (context changed from user to computer account while retrieving the >> > policy from server). >> >> What is the difference between an AD user and a computer ? >> >> One objectclass -> 'computer' >> The 'sAMAccountName' attribute content has a '$' on the end. >> That is it. >> >> A computer, when it is logged in, is a member of 'Authenticated Users' >> >> Rowland >> > > That is exactly the reason why I would expect computer configuration group > policy to work with Domain Computers group. > > But your note inspired me to make another test. I changed Security > Filtering from Domain Computers group to a computer account, in my case > WINMGMT$ (AD\WINMGMT$). And the policy started to work which really makes > me crazy. What is the difference? Winmgmt computer is a domain member and > so the member of Domain Computers group. > > Now I really don't understand the behavior. The group policy is linked to > the whole domain, I didn't create any custom OU... > > Michal >Does anybody have any suggestion, why group policies related to computer configuration work when Security Filtering is set to Authenticated Users or computer account but don't work when Security Filtering is set to Domain Computers group? I would really like to know, whether this is bug in Samba code or in my brain... Michal
On Wed, 15 Aug 2018 18:34:58 +0200 Michal Sládek via samba <samba at lists.samba.org> wrote:> 2018-08-15 6:56 GMT+02:00 Michal Sládek <michal at sladkovi.eu>: > > > 2018-08-14 22:51 GMT+02:00 Rowland Penny via samba > > <samba at lists.samba.org> : > > > >> On Tue, 14 Aug 2018 20:52:04 +0200 > >> Michal Sládek via samba <samba at lists.samba.org> wrote: > >> > >> > 2018-08-14 20:38 GMT+02:00 Rowland Penny via samba > >> > <samba at lists.samba.org>: > >> > > >> > > On Tue, 14 Aug 2018 20:15:04 +0200 > >> > > Michal Sládek via samba <samba at lists.samba.org> wrote: > >> > > > >> > > > Thank you for your suggestion, I read the whole discussion. > >> > > > > >> > > > My situation is little bit different - my machine policy > >> > > > works, but it stops working once I remove Apply permission > >> > > > from Authenticated Users and replace it with Read and Apply > >> > > > permission for Domain Computers. > >> > > > > >> > > > Group Policy Results in RSAT shows Reason Denied: Access > >> > > > Denied (Security Filtering) for affected computer. > >> > > > > >> > > > The same result I get with command gpresult /Z /SCOPE > >> > > > COMPUTER: > >> > > > > >> > > > The following GPOs were not applied because they were > >> > > > filtered out > >> > > > ------------------------------------------------------------------- > >> > > > Import CA Certificates Filtering: Denied (Security) > >> > > > > >> > > > I don't understand why Domain Computers group is not > >> > > > enough... > >> > > > > >> > > > >> > > That triggered a memory 'MS16-072', see here: > >> > > > >> > > https://support.microsoft.com/en-gb/help/3159398/ms16-072- > >> > > description-of-the-security-update-for-group-policy-june-14-2 > >> > > > >> > > and here: > >> > > > >> > > https://support.microsoft.com/en-gb/help/3163622/ms16-072- > >> > > security-update-for-group-policy-june-14-2016 > >> > > > >> > > Also here: > >> > > > >> > > https://social.technet.microsoft.com/Forums/windows/ > >> > > en-US/dd21b3cc-d000-48a6-8b35-60ffbbb9fda4/errors-after- > >> > > ms16072-updates?forum=winserverGP > >> > > > >> > > Rowland > >> > > > >> > > >> > I know about those changes, but they affected only user policies > >> > (context changed from user to computer account while retrieving > >> > the policy from server). > >> > >> What is the difference between an AD user and a computer ? > >> > >> One objectclass -> 'computer' > >> The 'sAMAccountName' attribute content has a '$' on the end. > >> That is it. > >> > >> A computer, when it is logged in, is a member of 'Authenticated > >> Users' > >> > >> Rowland > >> > > > > That is exactly the reason why I would expect computer > > configuration group policy to work with Domain Computers group. > > > > But your note inspired me to make another test. I changed Security > > Filtering from Domain Computers group to a computer account, in my > > case WINMGMT$ (AD\WINMGMT$). And the policy started to work which > > really makes me crazy. What is the difference? Winmgmt computer is > > a domain member and so the member of Domain Computers group. > > > > Now I really don't understand the behavior. The group policy is > > linked to the whole domain, I didn't create any custom OU... > > > > Michal > > > > Does anybody have any suggestion, why group policies related to > computer configuration work when Security Filtering is set to > Authenticated Users or computer account but don't work when Security > Filtering is set to Domain Computers group? I would really like to > know, whether this is bug in Samba code or in my brain... > > MichalYou don't seem to want accept what I have told you, so I found you yet another webpage: https://www.experts-exchange.com/questions/29018822/Been-testing-with-a-GPO-to-deploy-a-certificate-with-a-TEST-OU-How-would-I-apply-it-to-Production-so-that-all-machines-reecive-the-GPO.html Rowland