I posted this a day or two ago and guess I didn't get enough detail. I thought the simple fix was to add Authenticated Users under Delegation and give them Read privileges but I don't think this is correct. Don't they need Read and Apply GPO?
Secondly I thought Authenticated Users (Read and Apply GPO) was just a standard, every GPO should have it under Delegation, but when I add Authenticated Users under Delegation it also adds Authenticated Users under Scope. I don't want that. I have a specific security group under Scope and when added that group is automatically put it under Delegation with Read and Apply GPO permissions.
So I am a little confused about what KB3159398 actually did. I don't really want to add caret Blanche add Authenticated Users under Delegation where ever it is missing do I?
Open in new window
From: https://blogs.technet.microsoft.com/poshchap/2016/06/16/ms16-072-known-issue-use-powershell-to-check-gpos/
And then manually add the permission one by one a necessary.