Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

PowerShell script to fix KB3159398 (GPO Update)

Posted on 2016-07-28
14
Medium Priority
?
321 Views
1 Endorsement
Last Modified: 2016-07-30
Is there a powershell script I can run on the DC to fix the problems with KB3159398 that Microsoft put out back in June that stopped a lot of GPO from applying?
1
Comment
Question by:LockDown32
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
14 Comments
 
LVL 56

Accepted Solution

by:
McKnife earned 1000 total points
ID: 41733811
Yes, https://s3.amazonaws.com/sdmsoftware.com/dl/AddGPOReadPerms.zip is a powershell script for server 2008R2 and higher, execute it right on the DC to "fix" current GPOs. Article with details: https://sdmsoftware.com/group-policy-blog/bugs/new-group-policy-patch-ms16-072-breaks-gp-processing-behavior/

For future GPOs, one can change the default security descriptor, described here https://sdmsoftware.com/group-policy-blog/tips-tricks/modifying-default-gpo-permissions-creation-time/
1
 
LVL 8

Expert Comment

by:Senior IT System Engineer
ID: 41733976
Hi McKnife,

So do I run that powershell script before or after the Windows Update in all of the domain controllers in the domain simultaneously ?
or just one random DC ?
0
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 1000 total points
ID: 41734104
THe Microsoft PFE have published detailed steps on this.

https://blogs.technet.microsoft.com/askpfeplat/2016/07/05/who-broke-my-user-gpos/

You would fix the GPO permissions before applying the hotfix. You can fix the permissions from any domain controller (sysvol changes will replicate the ACL update amongst all other DC's).
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 56

Expert Comment

by:McKnife
ID: 41734229
It does not matter when you fix them. Do it now. One DC is enough as this gets replicated to all DCs.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41734581
Not having a lot of luck with the PowerShell script. I was under the impression is was supposed to add Authenticated Users and Domain Computers to the Delegation Tab with read rights. I found a GPO that had neither and after running the GPO it doesn't look like anything changed. Do I need to reboot or something?

I tried it on a 2008 R2 and it came back with a bunch of:

Get-GPPermission : The term 'Get-GPPermission' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:7 char:18
+         $perm1 = Get-GPPermission -Guid $gpo.id -TargetName "Authenticated Users ...
+                  ~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Get-GPPermission:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41734592
2008R2 comes with Powershell 2.0 which does not have the needed cmdlets. Install Powershell 3.0 or better 5.0 on your server or execute this script (as domain admin) on a workstation that has both
1 powershell 3.0 or higher
2 RSAT
installed.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41734598
OK. That would explain the 2008 but what about the script not appearing to work in 2011 and 2012? It should add Authenticate Users and Domain Computers to the Delegation Tab should it? Right away? Shouldn't need to reboot?
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41734602
Rightaway.
[Edited some text]
Please determine the powershell version on your servers using this one line of powershell code:
$PSVersionTable.PSVersion

Open in new window

0
 
LVL 15

Author Comment

by:LockDown32
ID: 41734606
That was my next question. This 2008 R2 is Powershell 3.0.....
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41734610
Ah, what needs to be done is:
At the server, in powershell, load the module active-directory like this, the execute the script:
import-module activedirectory

Open in new window

On newer powershell versions (starting with 4? or 5?), that module would get loaded automatically whenever a cmdlet needs it. Sorry, I forgot about that.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41734619
What fun :) Server 2012 is PowerShell 3.0?

Anyway.. back to the 2008 R2. import-module activedirectory didn't do much. Basically the same errors so I installed powershell 4.0 but now it wants to reboot the server. Have to wait until after 5.....
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41734625
I have no idea what would happen if you tried before restarting, but I had another look at it and the gpp cmdlets are not within the module active directory but in grouppolicy
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41735098
I had to bail. By the time I updated PowerShell on all servers and waited to reboot them it was easier and quicker to do it manually but want to make sure I didn't miss something.

What needed to be done was adding Authenticated Users to Delegation. The article showed Domain Computers under the delegation but on all the servers I work with Domain Computers was not there even on working GPOs. The article also said that Domain Computers was a subset of Authenticated Users do in essence Domain Computers was delegated too...

It that the way others are reading the manual fix?
0
 
LVL 56

Expert Comment

by:McKnife
ID: 41735163
You could do either one, no difference.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question