GPO: Deny and allow rules specified in multiple GPO files can result in parts of the list being lost #4194
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/3161
If there were deny and allow rules in several GPO files (for example SeRemoteInteractiveLogonRight), we only work with the rule from the last processed GPO file.
If allow rules are used, it can result in users not being able to login.
If deny rules are used, this can result in users being able to login even if they are not supposed to.
Comments
Comment from dpal at 2016-08-30 21:24:50
Michal, let me know if you need help to brainstorm how to merge GPO data in the best way.
Comment from jhrozek at 2016-08-31 17:30:43
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1370255 (Red Hat Enterprise Linux 7)
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=1370255 1370255]
Comment from mzidek at 2016-09-21 18:38:22
This ticket is not valid. What I though is a bug was expected behaviour.
resolution: => invalid
status: new => closed
Comment from mzidek at 2017-02-24 14:23:38
Metadata Update from @mzidek:
The text was updated successfully, but these errors were encountered: