Solved

PowerShell script to fix KB3159398 (GPO Update)

Posted on 2016-07-28
14
154 Views
1 Endorsement
Last Modified: 2016-07-30
Is there a powershell script I can run on the DC to fix the problems with KB3159398 that Microsoft put out back in June that stopped a lot of GPO from applying?
1
Comment
Question by:LockDown32
14 Comments
 
LVL 53

Accepted Solution

by:
McKnife earned 250 total points
ID: 41733811
Yes, https://s3.amazonaws.com/sdmsoftware.com/dl/AddGPOReadPerms.zip is a powershell script for server 2008R2 and higher, execute it right on the DC to "fix" current GPOs. Article with details: https://sdmsoftware.com/group-policy-blog/bugs/new-group-policy-patch-ms16-072-breaks-gp-processing-behavior/

For future GPOs, one can change the default security descriptor, described here https://sdmsoftware.com/group-policy-blog/tips-tricks/modifying-default-gpo-permissions-creation-time/
1
 
LVL 7

Expert Comment

by:Senior IT System Engineer
ID: 41733976
Hi McKnife,

So do I run that powershell script before or after the Windows Update in all of the domain controllers in the domain simultaneously ?
or just one random DC ?
0
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 250 total points
ID: 41734104
THe Microsoft PFE have published detailed steps on this.

https://blogs.technet.microsoft.com/askpfeplat/2016/07/05/who-broke-my-user-gpos/

You would fix the GPO permissions before applying the hotfix. You can fix the permissions from any domain controller (sysvol changes will replicate the ACL update amongst all other DC's).
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41734229
It does not matter when you fix them. Do it now. One DC is enough as this gets replicated to all DCs.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41734581
Not having a lot of luck with the PowerShell script. I was under the impression is was supposed to add Authenticated Users and Domain Computers to the Delegation Tab with read rights. I found a GPO that had neither and after running the GPO it doesn't look like anything changed. Do I need to reboot or something?

I tried it on a 2008 R2 and it came back with a bunch of:

Get-GPPermission : The term 'Get-GPPermission' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:7 char:18
+         $perm1 = Get-GPPermission -Guid $gpo.id -TargetName "Authenticated Users ...
+                  ~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Get-GPPermission:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41734592
2008R2 comes with Powershell 2.0 which does not have the needed cmdlets. Install Powershell 3.0 or better 5.0 on your server or execute this script (as domain admin) on a workstation that has both
1 powershell 3.0 or higher
2 RSAT
installed.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41734598
OK. That would explain the 2008 but what about the script not appearing to work in 2011 and 2012? It should add Authenticate Users and Domain Computers to the Delegation Tab should it? Right away? Shouldn't need to reboot?
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 53

Expert Comment

by:McKnife
ID: 41734602
Rightaway.
[Edited some text]
Please determine the powershell version on your servers using this one line of powershell code:
$PSVersionTable.PSVersion

Open in new window

0
 
LVL 15

Author Comment

by:LockDown32
ID: 41734606
That was my next question. This 2008 R2 is Powershell 3.0.....
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41734610
Ah, what needs to be done is:
At the server, in powershell, load the module active-directory like this, the execute the script:
import-module activedirectory

Open in new window

On newer powershell versions (starting with 4? or 5?), that module would get loaded automatically whenever a cmdlet needs it. Sorry, I forgot about that.
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41734619
What fun :) Server 2012 is PowerShell 3.0?

Anyway.. back to the 2008 R2. import-module activedirectory didn't do much. Basically the same errors so I installed powershell 4.0 but now it wants to reboot the server. Have to wait until after 5.....
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41734625
I have no idea what would happen if you tried before restarting, but I had another look at it and the gpp cmdlets are not within the module active directory but in grouppolicy
0
 
LVL 15

Author Comment

by:LockDown32
ID: 41735098
I had to bail. By the time I updated PowerShell on all servers and waited to reboot them it was easier and quicker to do it manually but want to make sure I didn't miss something.

What needed to be done was adding Authenticated Users to Delegation. The article showed Domain Computers under the delegation but on all the servers I work with Domain Computers was not there even on working GPOs. The article also said that Domain Computers was a subset of Authenticated Users do in essence Domain Computers was delegated too...

It that the way others are reading the manual fix?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41735163
You could do either one, no difference.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now