LockDown32
asked on
Manually Fix KB3159398
I posted this a day or two ago and guess I didn't get enough detail. I thought the simple fix was to add Authenticated Users under Delegation and give them Read privileges but I don't think this is correct. Don't they need Read and Apply GPO?
Secondly I thought Authenticated Users (Read and Apply GPO) was just a standard, every GPO should have it under Delegation, but when I add Authenticated Users under Delegation it also adds Authenticated Users under Scope. I don't want that. I have a specific security group under Scope and when added that group is automatically put it under Delegation with Read and Apply GPO permissions.
So I am a little confused about what KB3159398 actually did. I don't really want to add caret Blanche add Authenticated Users under Delegation where ever it is missing do I?
Secondly I thought Authenticated Users (Read and Apply GPO) was just a standard, every GPO should have it under Delegation, but when I add Authenticated Users under Delegation it also adds Authenticated Users under Scope. I don't want that. I have a specific security group under Scope and when added that group is automatically put it under Delegation with Read and Apply GPO permissions.
So I am a little confused about what KB3159398 actually did. I don't really want to add caret Blanche add Authenticated Users under Delegation where ever it is missing do I?
ASKER
Thanks but it is the manual permissions I am questioning..... please see the question.....
If you have a GPO targeted at a group named lets say "Finance-Users" you still need to add Authenticated Users under delegation with "Read" only selected (Deselect "Apply Group Policy" under Authenticated users)
If you need the policy to work for all authenticated users then you need to set both "Read" and "Apply Group Policy"
You do not need to add "Write" permissions etc to Authenticated users (Not recommended ever on authenticated users)
If you need the policy to work for all authenticated users then you need to set both "Read" and "Apply Group Policy"
You do not need to add "Write" permissions etc to Authenticated users (Not recommended ever on authenticated users)
ASKER
That is where the questions come in on manually fixing it. You are saying at the very least, under the delegation tab, that every GPO should have Authenticated Users, Read, checked and if it is targeting the Group Authenticated Users Apply Group Policy should be checked too?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK. I corrected the Delegation but still no luck. GPRESULT /H on this workstations shows none of the GPOs linked to the Computers OU as being either Applied or Denied. Screen shot and GPRESULT attached,
Capture.PNG
gpresult.html
Capture.PNG
gpresult.html
Just on a side note. Computer GPO's do not show on GPRESULT /R It shows User Settings only.
You need to run GPRESULT /R /SCOPE:COMPUTER from an elevated CMD Prompt, if running it from client side in order to view the Computer Settings. But that's different from the GPO Results wizard attached here.
It looks from screenshot that Computer objects focused GPO's are set under SBSComputers correct.
Can you confirm that the computer which you ran the wizard against is in this OU.
In addition can you confirm if this problem applies to all systems tested, or only this one single computer please.
And finally did you check this after waiting for replication to finish. It can take some time unless you manually kicked of replication.
You need to run GPRESULT /R /SCOPE:COMPUTER from an elevated CMD Prompt, if running it from client side in order to view the Computer Settings. But that's different from the GPO Results wizard attached here.
It looks from screenshot that Computer objects focused GPO's are set under SBSComputers correct.
Can you confirm that the computer which you ran the wizard against is in this OU.
In addition can you confirm if this problem applies to all systems tested, or only this one single computer please.
And finally did you check this after waiting for replication to finish. It can take some time unless you manually kicked of replication.
Open in new window
From: https://blogs.technet.microsoft.com/poshchap/2016/06/16/ms16-072-known-issue-use-powershell-to-check-gpos/
And then manually add the permission one by one a necessary.