Solved

PowerShell script to fix KB3159398 (GPO Update)

Posted on 2016-07-28
14
232 Views
1 Endorsement
Last Modified: 2016-07-30
Is there a powershell script I can run on the DC to fix the problems with KB3159398 that Microsoft put out back in June that stopped a lot of GPO from applying?
1
Comment
Question by:LockDown32
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
14 Comments
 
LVL 54

Accepted Solution

by:
McKnife earned 250 total points
ID: 41733811
Yes, https://s3.amazonaws.com/sdmsoftware.com/dl/AddGPOReadPerms.zip is a powershell script for server 2008R2 and higher, execute it right on the DC to "fix" current GPOs. Article with details: https://sdmsoftware.com/group-policy-blog/bugs/new-group-policy-patch-ms16-072-breaks-gp-processing-behavior/

For future GPOs, one can change the default security descriptor, described here https://sdmsoftware.com/group-policy-blog/tips-tricks/modifying-default-gpo-permissions-creation-time/
1
 
LVL 7

Expert Comment

by:Senior IT System Engineer
ID: 41733976
Hi McKnife,

So do I run that powershell script before or after the Windows Update in all of the domain controllers in the domain simultaneously ?
or just one random DC ?
0
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 250 total points
ID: 41734104
THe Microsoft PFE have published detailed steps on this.

https://blogs.technet.microsoft.com/askpfeplat/2016/07/05/who-broke-my-user-gpos/

You would fix the GPO permissions before applying the hotfix. You can fix the permissions from any domain controller (sysvol changes will replicate the ACL update amongst all other DC's).
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 54

Expert Comment

by:McKnife
ID: 41734229
It does not matter when you fix them. Do it now. One DC is enough as this gets replicated to all DCs.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41734581
Not having a lot of luck with the PowerShell script. I was under the impression is was supposed to add Authenticated Users and Domain Computers to the Delegation Tab with read rights. I found a GPO that had neither and after running the GPO it doesn't look like anything changed. Do I need to reboot or something?

I tried it on a 2008 R2 and it came back with a bunch of:

Get-GPPermission : The term 'Get-GPPermission' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:7 char:18
+         $perm1 = Get-GPPermission -Guid $gpo.id -TargetName "Authenticated Users ...
+                  ~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Get-GPPermission:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41734592
2008R2 comes with Powershell 2.0 which does not have the needed cmdlets. Install Powershell 3.0 or better 5.0 on your server or execute this script (as domain admin) on a workstation that has both
1 powershell 3.0 or higher
2 RSAT
installed.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41734598
OK. That would explain the 2008 but what about the script not appearing to work in 2011 and 2012? It should add Authenticate Users and Domain Computers to the Delegation Tab should it? Right away? Shouldn't need to reboot?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41734602
Rightaway.
[Edited some text]
Please determine the powershell version on your servers using this one line of powershell code:
$PSVersionTable.PSVersion

Open in new window

0
 
LVL 15

Author Comment

by:LockDown32
ID: 41734606
That was my next question. This 2008 R2 is Powershell 3.0.....
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41734610
Ah, what needs to be done is:
At the server, in powershell, load the module active-directory like this, the execute the script:
import-module activedirectory

Open in new window

On newer powershell versions (starting with 4? or 5?), that module would get loaded automatically whenever a cmdlet needs it. Sorry, I forgot about that.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41734619
What fun :) Server 2012 is PowerShell 3.0?

Anyway.. back to the 2008 R2. import-module activedirectory didn't do much. Basically the same errors so I installed powershell 4.0 but now it wants to reboot the server. Have to wait until after 5.....
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41734625
I have no idea what would happen if you tried before restarting, but I had another look at it and the gpp cmdlets are not within the module active directory but in grouppolicy
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41735098
I had to bail. By the time I updated PowerShell on all servers and waited to reboot them it was easier and quicker to do it manually but want to make sure I didn't miss something.

What needed to be done was adding Authenticated Users to Delegation. The article showed Domain Computers under the delegation but on all the servers I work with Domain Computers was not there even on working GPOs. The article also said that Domain Computers was a subset of Authenticated Users do in essence Domain Computers was delegated too...

It that the way others are reading the manual fix?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41735163
You could do either one, no difference.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question