Solved

PowerShell script to fix KB3159398 (GPO Update)

Posted on 2016-07-28
14
287 Views
1 Endorsement
Last Modified: 2016-07-30
Is there a powershell script I can run on the DC to fix the problems with KB3159398 that Microsoft put out back in June that stopped a lot of GPO from applying?
1
Comment
Question by:LockDown32
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
14 Comments
 
LVL 55

Accepted Solution

by:
McKnife earned 250 total points
ID: 41733811
Yes, https://s3.amazonaws.com/sdmsoftware.com/dl/AddGPOReadPerms.zip is a powershell script for server 2008R2 and higher, execute it right on the DC to "fix" current GPOs. Article with details: https://sdmsoftware.com/group-policy-blog/bugs/new-group-policy-patch-ms16-072-breaks-gp-processing-behavior/

For future GPOs, one can change the default security descriptor, described here https://sdmsoftware.com/group-policy-blog/tips-tricks/modifying-default-gpo-permissions-creation-time/
1
 
LVL 8

Expert Comment

by:Senior IT System Engineer
ID: 41733976
Hi McKnife,

So do I run that powershell script before or after the Windows Update in all of the domain controllers in the domain simultaneously ?
or just one random DC ?
0
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 250 total points
ID: 41734104
THe Microsoft PFE have published detailed steps on this.

https://blogs.technet.microsoft.com/askpfeplat/2016/07/05/who-broke-my-user-gpos/

You would fix the GPO permissions before applying the hotfix. You can fix the permissions from any domain controller (sysvol changes will replicate the ACL update amongst all other DC's).
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 55

Expert Comment

by:McKnife
ID: 41734229
It does not matter when you fix them. Do it now. One DC is enough as this gets replicated to all DCs.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41734581
Not having a lot of luck with the PowerShell script. I was under the impression is was supposed to add Authenticated Users and Domain Computers to the Delegation Tab with read rights. I found a GPO that had neither and after running the GPO it doesn't look like anything changed. Do I need to reboot or something?

I tried it on a 2008 R2 and it came back with a bunch of:

Get-GPPermission : The term 'Get-GPPermission' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:7 char:18
+         $perm1 = Get-GPPermission -Guid $gpo.id -TargetName "Authenticated Users ...
+                  ~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Get-GPPermission:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
0
 
LVL 55

Expert Comment

by:McKnife
ID: 41734592
2008R2 comes with Powershell 2.0 which does not have the needed cmdlets. Install Powershell 3.0 or better 5.0 on your server or execute this script (as domain admin) on a workstation that has both
1 powershell 3.0 or higher
2 RSAT
installed.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41734598
OK. That would explain the 2008 but what about the script not appearing to work in 2011 and 2012? It should add Authenticate Users and Domain Computers to the Delegation Tab should it? Right away? Shouldn't need to reboot?
0
 
LVL 55

Expert Comment

by:McKnife
ID: 41734602
Rightaway.
[Edited some text]
Please determine the powershell version on your servers using this one line of powershell code:
$PSVersionTable.PSVersion

Open in new window

0
 
LVL 15

Author Comment

by:LockDown32
ID: 41734606
That was my next question. This 2008 R2 is Powershell 3.0.....
0
 
LVL 55

Expert Comment

by:McKnife
ID: 41734610
Ah, what needs to be done is:
At the server, in powershell, load the module active-directory like this, the execute the script:
import-module activedirectory

Open in new window

On newer powershell versions (starting with 4? or 5?), that module would get loaded automatically whenever a cmdlet needs it. Sorry, I forgot about that.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41734619
What fun :) Server 2012 is PowerShell 3.0?

Anyway.. back to the 2008 R2. import-module activedirectory didn't do much. Basically the same errors so I installed powershell 4.0 but now it wants to reboot the server. Have to wait until after 5.....
0
 
LVL 55

Expert Comment

by:McKnife
ID: 41734625
I have no idea what would happen if you tried before restarting, but I had another look at it and the gpp cmdlets are not within the module active directory but in grouppolicy
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41735098
I had to bail. By the time I updated PowerShell on all servers and waited to reboot them it was easier and quicker to do it manually but want to make sure I didn't miss something.

What needed to be done was adding Authenticated Users to Delegation. The article showed Domain Computers under the delegation but on all the servers I work with Domain Computers was not there even on working GPOs. The article also said that Domain Computers was a subset of Authenticated Users do in essence Domain Computers was delegated too...

It that the way others are reading the manual fix?
0
 
LVL 55

Expert Comment

by:McKnife
ID: 41735163
You could do either one, no difference.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question