URL:
https://github.com/SSSD/sssd/pull/552
Title: #552: GPO: Store security CSE settings of all applicable GPOs
rdratlos commented:
"""
@mzidek-rh
Thank you very much for your review and the comments. I analysed the security CSE
behaviour mid of last year and just have a few notes available. So I briefly checked the
GPO handling on a fresh Windows install and indeed you're right.
merge all rules from applicable GPOs, if the same rule appears in
multiple GPOs override the the settings from previous GPO (respecting the rule
precedende).
This is the way how this fresh Windows install behaves. There is one exception: Enforced
GPO (links) can only be overridden by other enforced GPOs. GPOs with an emtpy rule clear
the SID list from previously evaluated GPOS
Merging SID lists as performed by this patch would be a new feature for SSSD, which is not
in line with the behaviour of standard Window machines.
"""
See the full comment at
https://github.com/SSSD/sssd/pull/552#issuecomment-382183088