Solved

PowerShell script to fix KB3159398 (GPO Update)

Posted on 2016-07-28
14
134 Views
1 Endorsement
Last Modified: 2016-07-30
Is there a powershell script I can run on the DC to fix the problems with KB3159398 that Microsoft put out back in June that stopped a lot of GPO from applying?
1
Comment
Question by:LockDown32
14 Comments
 
LVL 53

Accepted Solution

by:
McKnife earned 250 total points
ID: 41733811
Yes, https://s3.amazonaws.com/sdmsoftware.com/dl/AddGPOReadPerms.zip is a powershell script for server 2008R2 and higher, execute it right on the DC to "fix" current GPOs. Article with details: https://sdmsoftware.com/group-policy-blog/bugs/new-group-policy-patch-ms16-072-breaks-gp-processing-behavior/

For future GPOs, one can change the default security descriptor, described here https://sdmsoftware.com/group-policy-blog/tips-tricks/modifying-default-gpo-permissions-creation-time/
1
 
LVL 7

Expert Comment

by:Senior IT System Engineer
ID: 41733976
Hi McKnife,

So do I run that powershell script before or after the Windows Update in all of the domain controllers in the domain simultaneously ?
or just one random DC ?
0
 
LVL 16

Assisted Solution

by:Learnctx
Learnctx earned 250 total points
ID: 41734104
THe Microsoft PFE have published detailed steps on this.

https://blogs.technet.microsoft.com/askpfeplat/2016/07/05/who-broke-my-user-gpos/

You would fix the GPO permissions before applying the hotfix. You can fix the permissions from any domain controller (sysvol changes will replicate the ACL update amongst all other DC's).
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41734229
It does not matter when you fix them. Do it now. One DC is enough as this gets replicated to all DCs.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41734581
Not having a lot of luck with the PowerShell script. I was under the impression is was supposed to add Authenticated Users and Domain Computers to the Delegation Tab with read rights. I found a GPO that had neither and after running the GPO it doesn't look like anything changed. Do I need to reboot or something?

I tried it on a 2008 R2 and it came back with a bunch of:

Get-GPPermission : The term 'Get-GPPermission' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:7 char:18
+         $perm1 = Get-GPPermission -Guid $gpo.id -TargetName "Authenticated Users ...
+                  ~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Get-GPPermission:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41734592
2008R2 comes with Powershell 2.0 which does not have the needed cmdlets. Install Powershell 3.0 or better 5.0 on your server or execute this script (as domain admin) on a workstation that has both
1 powershell 3.0 or higher
2 RSAT
installed.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41734598
OK. That would explain the 2008 but what about the script not appearing to work in 2011 and 2012? It should add Authenticate Users and Domain Computers to the Delegation Tab should it? Right away? Shouldn't need to reboot?
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 53

Expert Comment

by:McKnife
ID: 41734602
Rightaway.
[Edited some text]
Please determine the powershell version on your servers using this one line of powershell code:
$PSVersionTable.PSVersion

Open in new window

0
 
LVL 15

Author Comment

by:LockDown32
ID: 41734606
That was my next question. This 2008 R2 is Powershell 3.0.....
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41734610
Ah, what needs to be done is:
At the server, in powershell, load the module active-directory like this, the execute the script:
import-module activedirectory

Open in new window

On newer powershell versions (starting with 4? or 5?), that module would get loaded automatically whenever a cmdlet needs it. Sorry, I forgot about that.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41734619
What fun :) Server 2012 is PowerShell 3.0?

Anyway.. back to the 2008 R2. import-module activedirectory didn't do much. Basically the same errors so I installed powershell 4.0 but now it wants to reboot the server. Have to wait until after 5.....
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41734625
I have no idea what would happen if you tried before restarting, but I had another look at it and the gpp cmdlets are not within the module active directory but in grouppolicy
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41735098
I had to bail. By the time I updated PowerShell on all servers and waited to reboot them it was easier and quicker to do it manually but want to make sure I didn't miss something.

What needed to be done was adding Authenticated Users to Delegation. The article showed Domain Computers under the delegation but on all the servers I work with Domain Computers was not there even on working GPOs. The article also said that Domain Computers was a subset of Authenticated Users do in essence Domain Computers was delegated too...

It that the way others are reading the manual fix?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41735163
You could do either one, no difference.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

The saying goes a bad carpenter blames his tools. In the Directory Services world a bad system administrator, well, even with the best tools they’re probably not going to become an all star.  However for the system admin who is willing to spend a li…
Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now