Post by L.P.H. van BelleA good howto per exampl.e
http://www.itingredients.com/how-to-disable-usb-ports-using-group-policy/
Only i did not do this as computer policy but as user policy.
In short,
USB-Allowed
USB-Denied
2) create 2 policies objects,
USB-Allowed
USB-Denied
And set in the allow polices
( as shown in the link but under the user polcies )
3) add correct group to the same GPO object. ( allowed with allowed , etc )
3) link the polcies objects in a OU where you can test and where the user is.
4) set the order of these policies to Allowed above the Denied.
Order 123 , is applied as 3 2 1.
1 is highest so..
This is bit like i have ...
Domain users, alle external devices are denied.
DVD-Read
DVD-Write
USB-.. . etc etc.
And alle these are failing.
I noticed all security groups which are not "Authenticated Users" are failing.
Which is a problem for me since all my policies are group right based.
I also noticed that in my Samba 4 AD DC domain i have 4 groups in "
ForeignSecurityPrincipals (CN=ForeignSecurityPrincipals )
S-1-5-4 ( Member of : Users in CN=Buildin )
S-1-5-11 ( member of : Users and Pre-windows 2000... ) in CN=Buildin
S-1-5-17 ( member of : IIS_IUSRS ) in CN=Buildin
S-1-5-9 ( member of : Windows Authorization Access Group ) in CN=Buildin
I dont see any in ForeignSecurityPrincipals on my 2008R
Hi Louis,
I created an USB-Denied Policy and granted rights to an Domain Group
called "USB-Denied".
In the test environment i do not assign uid's and gid's and completely
rely on winbindd.
Here are the acl's. The policy applies for an normal user being a
memeber of "USB-Denied".
***@dc1:~# getfacl
/var/lib/samba/sysvol/domain.local/Policies/\{8C47B4C4-5084-43CB-BF32-999436E90283\}/
getfacl: Removing leading '/' from absolute path names
# file:
var/lib/samba/sysvol/domain.local/Policies/{8C47B4C4-5084-43CB-BF32-999436E90283}/
# owner: DOMAIN\134domain\040admins
# group: DOMAIN\134domain\040admins
user::rwx
user:3000002:rwx
user:DOMAIN\134enterprise\040admins:rwx
user:3000010:r-x
user:DOMAIN\134usb\040denied:r-x
group::rwx
group:3000002:rwx
group:DOMAIN\134enterprise\040admins:rwx
group:DOMAIN\134domain\040admins:rwx
group:3000010:r-x
group:DOMAIN\134usb\040denied:r-x
mask::rwx
other::---
default:user::rwx
default:user:3000002:rwx
default:user:DOMAIN\134enterprise\040admins:rwx
default:user:DOMAIN\134domain\040admins:rwx
default:user:3000010:r-x
default:user:DOMAIN\134usb\040denied:r-x
default:group::---
default:group:3000002:rwx
default:group:DOMAIN\134enterprise\040admins:rwx
default:group:DOMAIN\134domain\040admins:rwx
default:group:3000010:r-x
default:group:DOMAIN\134usb\040denied:r-x
default:mask::rwx
default:other::---
Replicated to dc2 with
***@dc2:~# rsync -XAavz -e ssh ***@dc1:/var/lib/samba/sysvol/
/var/lib/samba/sysvol/
These are the acl's on dc2.
***@dc2:~# getfacl
/var/lib/samba/sysvol/domain.local/Policies/\{8C47B4C4-5084-43CB-BF32-999436E90283\}/
getfacl: Removing leading '/' from absolute path names
# file:
var/lib/samba/sysvol/domain.local/Policies/{8C47B4C4-5084-43CB-BF32-999436E90283}/
# owner: domain\040admins
# group: domain\040admins
user::rwx
user:guest:rwx
user:enterprise\040admins:rwx
user:denied\040rodc\040password\040replication\040group:r-x
user:usb\040denied:r-x
group::rwx
group:guest:rwx
group:domain\040admins:rwx
group:enterprise\040admins:rwx
group:denied\040rodc\040password\040replication\040group:r-x
group:usb\040denied:r-x
mask::rwx
other::---
default:user::rwx
default:user:guest:rwx
default:user:domain\040admins:rwx
default:user:enterprise\040admins:rwx
default:user:denied\040rodc\040password\040replication\040group:r-x
default:user:usb\040denied:r-x
default:group::---
default:group:guest:rwx
default:group:domain\040admins:rwx
default:group:enterprise\040admins:rwx
default:group:denied\040rodc\040password\040replication\040group:r-x
default:group:usb\040denied:r-x
default:mask::rwx
default:other::---
In this case the gid 3000002 is mapped to the "Guest" group on dc2 and
30000010 to "denied rodc password replication group".
As an normal user i can not access sysvol on dc2 because the mapping
/var/lib/samba/sysvol/domain.local is messed up (no Authenticated Users
ACL).
***@dc2:~# getfacl /var/lib/samba/sysvol
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
group::rwx
group:BUILTIN\134administrators:rwx
group:guest:rwx
group:domain\040guests:r-x
group:BUILTIN\134server\040operators:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:guest:rwx
default:group:domain\040guests:r-x
default:group:BUILTIN\134server\040operators:r-x
default:mask::rwx
default:other::---
achim~
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba