On Wed, 15 Aug 2018 18:34:58 +0200 Michal Sládek via samba <samba at lists.samba.org> wrote:> 2018-08-15 6:56 GMT+02:00 Michal Sládek <michal at sladkovi.eu>: > > > 2018-08-14 22:51 GMT+02:00 Rowland Penny via samba > > <samba at lists.samba.org> : > > > >> On Tue, 14 Aug 2018 20:52:04 +0200 > >> Michal Sládek via samba <samba at lists.samba.org> wrote: > >> > >> > 2018-08-14 20:38 GMT+02:00 Rowland Penny via samba > >> > <samba at lists.samba.org>: > >> > > >> > > On Tue, 14 Aug 2018 20:15:04 +0200 > >> > > Michal Sládek via samba <samba at lists.samba.org> wrote: > >> > > > >> > > > Thank you for your suggestion, I read the whole discussion. > >> > > > > >> > > > My situation is little bit different - my machine policy > >> > > > works, but it stops working once I remove Apply permission > >> > > > from Authenticated Users and replace it with Read and Apply > >> > > > permission for Domain Computers. > >> > > > > >> > > > Group Policy Results in RSAT shows Reason Denied: Access > >> > > > Denied (Security Filtering) for affected computer. > >> > > > > >> > > > The same result I get with command gpresult /Z /SCOPE > >> > > > COMPUTER: > >> > > > > >> > > > The following GPOs were not applied because they were > >> > > > filtered out > >> > > > ------------------------------------------------------------------- > >> > > > Import CA Certificates Filtering: Denied (Security) > >> > > > > >> > > > I don't understand why Domain Computers group is not > >> > > > enough... > >> > > > > >> > > > >> > > That triggered a memory 'MS16-072', see here: > >> > > > >> > > https://support.microsoft.com/en-gb/help/3159398/ms16-072- > >> > > description-of-the-security-update-for-group-policy-june-14-2 > >> > > > >> > > and here: > >> > > > >> > > https://support.microsoft.com/en-gb/help/3163622/ms16-072- > >> > > security-update-for-group-policy-june-14-2016 > >> > > > >> > > Also here: > >> > > > >> > > https://social.technet.microsoft.com/Forums/windows/ > >> > > en-US/dd21b3cc-d000-48a6-8b35-60ffbbb9fda4/errors-after- > >> > > ms16072-updates?forum=winserverGP > >> > > > >> > > Rowland > >> > > > >> > > >> > I know about those changes, but they affected only user policies > >> > (context changed from user to computer account while retrieving > >> > the policy from server). > >> > >> What is the difference between an AD user and a computer ? > >> > >> One objectclass -> 'computer' > >> The 'sAMAccountName' attribute content has a '$' on the end. > >> That is it. > >> > >> A computer, when it is logged in, is a member of 'Authenticated > >> Users' > >> > >> Rowland > >> > > > > That is exactly the reason why I would expect computer > > configuration group policy to work with Domain Computers group. > > > > But your note inspired me to make another test. I changed Security > > Filtering from Domain Computers group to a computer account, in my > > case WINMGMT$ (AD\WINMGMT$). And the policy started to work which > > really makes me crazy. What is the difference? Winmgmt computer is > > a domain member and so the member of Domain Computers group. > > > > Now I really don't understand the behavior. The group policy is > > linked to the whole domain, I didn't create any custom OU... > > > > Michal > > > > Does anybody have any suggestion, why group policies related to > computer configuration work when Security Filtering is set to > Authenticated Users or computer account but don't work when Security > Filtering is set to Domain Computers group? I would really like to > know, whether this is bug in Samba code or in my brain... > > MichalYou don't seem to want accept what I have told you, so I found you yet another webpage: https://www.experts-exchange.com/questions/29018822/Been-testing-with-a-GPO-to-deploy-a-certificate-with-a-TEST-OU-How-would-I-apply-it-to-Production-so-that-all-machines-reecive-the-GPO.html Rowland
2018-08-15 18:59 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:> On Wed, 15 Aug 2018 18:34:58 +0200 > Michal Sládek via samba <samba at lists.samba.org> wrote: > > > 2018-08-15 6:56 GMT+02:00 Michal Sládek <michal at sladkovi.eu>: > > > > > 2018-08-14 22:51 GMT+02:00 Rowland Penny via samba > > > <samba at lists.samba.org> : > > > > > >> On Tue, 14 Aug 2018 20:52:04 +0200 > > >> Michal Sládek via samba <samba at lists.samba.org> wrote: > > >> > > >> > 2018-08-14 20:38 GMT+02:00 Rowland Penny via samba > > >> > <samba at lists.samba.org>: > > >> > > > >> > > On Tue, 14 Aug 2018 20:15:04 +0200 > > >> > > Michal Sládek via samba <samba at lists.samba.org> wrote: > > >> > > > > >> > > > Thank you for your suggestion, I read the whole discussion. > > >> > > > > > >> > > > My situation is little bit different - my machine policy > > >> > > > works, but it stops working once I remove Apply permission > > >> > > > from Authenticated Users and replace it with Read and Apply > > >> > > > permission for Domain Computers. > > >> > > > > > >> > > > Group Policy Results in RSAT shows Reason Denied: Access > > >> > > > Denied (Security Filtering) for affected computer. > > >> > > > > > >> > > > The same result I get with command gpresult /Z /SCOPE > > >> > > > COMPUTER: > > >> > > > > > >> > > > The following GPOs were not applied because they were > > >> > > > filtered out > > >> > > > ------------------------------------------------------------ > ------- > > >> > > > Import CA Certificates Filtering: Denied (Security) > > >> > > > > > >> > > > I don't understand why Domain Computers group is not > > >> > > > enough... > > >> > > > > > >> > > > > >> > > That triggered a memory 'MS16-072', see here: > > >> > > > > >> > > https://support.microsoft.com/en-gb/help/3159398/ms16-072- > > >> > > description-of-the-security-update-for-group-policy-june-14-2 > > >> > > > > >> > > and here: > > >> > > > > >> > > https://support.microsoft.com/en-gb/help/3163622/ms16-072- > > >> > > security-update-for-group-policy-june-14-2016 > > >> > > > > >> > > Also here: > > >> > > > > >> > > https://social.technet.microsoft.com/Forums/windows/ > > >> > > en-US/dd21b3cc-d000-48a6-8b35-60ffbbb9fda4/errors-after- > > >> > > ms16072-updates?forum=winserverGP > > >> > > > > >> > > Rowland > > >> > > > > >> > > > >> > I know about those changes, but they affected only user policies > > >> > (context changed from user to computer account while retrieving > > >> > the policy from server). > > >> > > >> What is the difference between an AD user and a computer ? > > >> > > >> One objectclass -> 'computer' > > >> The 'sAMAccountName' attribute content has a '$' on the end. > > >> That is it. > > >> > > >> A computer, when it is logged in, is a member of 'Authenticated > > >> Users' > > >> > > >> Rowland > > >> > > > > > > That is exactly the reason why I would expect computer > > > configuration group policy to work with Domain Computers group. > > > > > > But your note inspired me to make another test. I changed Security > > > Filtering from Domain Computers group to a computer account, in my > > > case WINMGMT$ (AD\WINMGMT$). And the policy started to work which > > > really makes me crazy. What is the difference? Winmgmt computer is > > > a domain member and so the member of Domain Computers group. > > > > > > Now I really don't understand the behavior. The group policy is > > > linked to the whole domain, I didn't create any custom OU... > > > > > > Michal > > > > > > > Does anybody have any suggestion, why group policies related to > > computer configuration work when Security Filtering is set to > > Authenticated Users or computer account but don't work when Security > > Filtering is set to Domain Computers group? I would really like to > > know, whether this is bug in Samba code or in my brain... > > > > Michal > > You don't seem to want accept what I have told you, so I found you yet > another webpage: > > https://www.experts-exchange.com/questions/29018822/Been-tes > ting-with-a-GPO-to-deploy-a-certificate-with-a-TEST-OU-How-w > ould-I-apply-it-to-Production-so-that-all-machines-reecive-the-GPO.html > > Rowland >I really appreciate your effort to help me, I just don't understand suggested solution. My group policy is related to computer configuration, not user configuration. Authenticated Users include both users and computers (once authenticated) so they unnecessarily include users. That's why I would like to use Domain Computers group instead (just to be more restrictive). MS16-072 states: " After MS16-072 is installed, USER group policies are retrieved by using the computer's security context." I suppose that COMPUTER group policies are retrieved by computer's security context too. That's why I expect replacing Authenticated Users with Domain Computers to work. But they don't:-( My computer accounts are placed in the default Computers folder. My group policy is linked to the domain root. I checked SYSVOL permissions and permissions of underlying folders. Everything is readable for Authenticated Users (so computer account should be able to access it after successfull authentication). Everything works when I replace Domain Computers with appropriate computer account (Why? What is the differennce between setting permission to a group or to a specific group member?) I really apologize if I miss something obvious. I just don't get it. Michal
On Wed, 15 Aug 2018 20:06:02 +0200 Michal Sládek via samba <samba at lists.samba.org> wrote:> I really appreciate your effort to help me, I just don't understand > suggested solution. > > My group policy is related to computer configuration, not user > configuration. Authenticated Users include both users and computers > (once authenticated) so they unnecessarily include users. That's why > I would like to use Domain Computers group instead (just to be more > restrictive). MS16-072 states: " After MS16-072 is installed, USER > group policies are retrieved by using the computer's security > context." I suppose that COMPUTER group policies are retrieved by > computer's security context too. That's why I expect replacing > Authenticated Users with Domain Computers to work. But they don't:-( > > My computer accounts are placed in the default Computers folder. > My group policy is linked to the domain root. > I checked SYSVOL permissions and permissions of underlying folders. > Everything is readable for Authenticated Users (so computer account > should be able to access it after successfull authentication). > Everything works when I replace Domain Computers with appropriate > computer account (Why? What is the differennce between setting > permission to a group or to a specific group member?) > > I really apologize if I miss something obvious. I just don't get it. > > MichalOK, I give in, my last comment is this, this is not a Samba problem, it is an AD GPO problem. Go and search the internet on this topic. Rowland Penny Samba team member