Solved

GPO's not appliec

Posted on 2016-07-19
3
103 Views
Last Modified: 2016-07-26
Hi,

We found out that our gpo's are not applied anymore. We've already checked that the security filtering is set the right way. We keep seeing that they're inaccessible when running the group policy results. The group policy also appears in numbers when reviewing in group policy results. Not with its name.

User can also browse to \\domain\sysvol\domain\policies

Any help is appreciated

Regards,
0
Comment
Question by:PramoIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 30

Accepted Solution

by:
Scott C earned 500 total points
ID: 41719363
There was a recent "update" that played havoc with GPOs.

Here are my notes I compiled on it.

New Group Policy Patch MS16-072– “Breaks” GP Processing Behavior

Thursday, June 16, 2016
4:42 PM

This morning I woke up to an email from a fellow Group Policy MVP–Martin Binder–warning that folks were seeing GP Processing issues after the recent slew of Patch Tuesday updates were applied. Indeed, I had noted late on Tuesday via Twitter

A GPO with no Authenticated Users in Security Filtering
 
And you’d removed Authenticated Users completely from the GPO’s delegation, then GPO processing for per-user settings would fail after applying MS16-072.  As the day went on, I mostly ignored this issue, until tonight I read the KB article surrounding this patch in detail. Specifically, there’s a section called Known Issues where it says the following:
 
“MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the machines security context”
Um….that’s big. What it’s saying is that per-user GP processing has fundamentally changed. It goes on to further say:
“This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.”
Indeed, many people found that by adding back the Authenticated Users Access Control Entry (ACE) to the GPO’s delegation with Read access (NOTE: I AM SAYING READ ACCESS–THIS IS DIFFERENT  THAN READ AND “APPLY GROUP POLICY”, which will have the affect of nullifying any security group filtering you are using on the GPO) per-user GP processing will go back to working. The above referenced article says that you can add either Authenticated Users or Domain Computers with Read access on the GPO to solve this, because the per-user settings are running in the computer’s security context, so adding Domain Computers should give the computer the access it needs to continue processing those per-user settings.
Mitigation
OK, again, this is a BIGGGGG change, and I’m sure a lot of folks got broken by this. What I’ve done is created a quick PowerShell script for those who have a lot of GPOs in your environment and don’t want to manually make this change. What the script does is get a list of all of your GPOs in the current domain. It then iterates through them, checks to see if the Authenticated Users or Domain Computers groups are found in the GPO’s delegation. If not found, then the script adds the Read (only) permission to the GPO for Authenticated Users. You might decide you’d rather use Domain Computers, because some people have purposefully prevented Authenticated Users from reading their GPOs to prevent unwanted security posture discovery. You can easily modify the script to add Domain Computers instead of Authenticated Users by modifying line 9 of the script. Note that this script needs the Group Policy PowerShell module that is part of GPMC to be installed to function:

GPO Permission script for MS16-072
 Download the Script File
 

 
PLEASE NOTE: THIS SCRIPT CHANGES PERMISSIONS ON YOUR GPOs. Test first in a non-production environment before running it against your live GPOs. It’s provided for you as-is, with no warranty!
June 16 Edit: I made a change to the script, to have it check for GPOs that contain user settings, since we’re only interested in doing this fix for GPOs with per-user settings. Also note that Microsoft has just released an assessment-only script here.
 
Next Steps
I’ve been asked if this is a bug that Microsoft will fix. If you read the article I mention above, it sure doesn’t seem like they see it as a bug, but rather a change in behavior in the interests of security. I agree that making GP secure is critical to ensuring it can do it’s job of, well, securing your Windows systems. I wish they had given a little bit more notice on this so it didn’t break people’s GP environments, but, hey, at least NOW we know :-).


From <https://sdmsoftware.com/group-policy-blog/bugs/new-group-policy-patch-ms16-072-breaks-gp-processing-behavior/>
0
 

Author Closing Comment

by:PramoIT
ID: 41729515
Thanks. In my case i uninstalled the update for now.
0
 
LVL 30

Expert Comment

by:Scott C
ID: 41730033
Glad I could help.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article was originally published on Monitis Blog, you can check it here .   Some years back, I worked as the CTO.  During my tenure, I had a head of IT support reporting to me.  He did his job quite well and had a commendable sense of duty …
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question