Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies. Only from Platform Scholar.
Course Of The Month
4 days, 21 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Manually Fix KB3159398
Posted on 2016-07-31
I posted this a day or two ago and guess I didn't get enough detail. I thought the simple fix was to add Authenticated Users under Delegation and give them Read privileges but I don't think this is correct. Don't they need Read and Apply GPO?
Secondly I thought Authenticated Users (Read and Apply GPO) was just a standard, every GPO should have it under Delegation, but when I add Authenticated Users under Delegation it also adds Authenticated Users under Scope. I don't want that. I have a specific security group under Scope and when added that group is automatically put it under Delegation with Read and Apply GPO permissions.
So I am a little confused about what KB3159398 actually did. I don't really want to add caret Blanche add Authenticated Users under Delegation where ever it is missing do I?
Secondly I thought Authenticated Users (Read and Apply GPO) was just a standard, every GPO should have it under Delegation, but when I add Authenticated Users under Delegation it also adds Authenticated Users under Scope. I don't want that. I have a specific security group under Scope and when added that group is automatically put it under Delegation with Read and Apply GPO permissions.
So I am a little confused about what KB3159398 actually did. I don't really want to add caret Blanche add Authenticated Users under Delegation where ever it is missing do I?
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
3
3
7 Comments
Active today
You can check it first using this PowerShell script:
From: https://blogs.technet.microsoft.com/poshchap/2016/06/16/ms16-072-known-issue-use-powershell-to-check-gpos/
And then manually add the permission one by one a necessary.
#Load GPO module
Import-Module GroupPolicy
#Get all GPOs in current domain
$GPOs = Get-GPO -All
#Check we have GPOs
if ($GPOs) {
#Loop through GPOs
foreach ($GPO in $GPOs) {
#Nullify $AuthUser & $DomComp
$AuthUser = $null
$DomComp = $null
#See if we have an Auth Users perm
$AuthUser = Get-GPPermissions -Guid $GPO.Id -TargetName “Authenticated Users” -TargetType Group -ErrorAction SilentlyContinue
#See if we have the ‘Domain Computers perm
$DomComp = Get-GPPermissions -Guid $GPO.Id -TargetName “Domain Computers” -TargetType Group -ErrorAction SilentlyContinue
#Alert if we don’t have an ‘Authenticated Users’ permission
if (-not $AuthUser) {
#Now check for ‘Domain Computers’ permission
if (-not $DomComp) {
Write-Host “WARNING: $($GPO.DisplayName) ($($GPO.Id)) does not have an ‘Authenticated Users’ permission or ‘Domain Computers’ permission – please investigate” -ForegroundColor Red
} #end of if (-not $DomComp)
else {
#COMMENT OUT THE BELOW LINE TO REDUCE OUTPUT!
Write-Host “INFORMATION: $($GPO.DisplayName) ($($GPO.Id)) does not have an ‘Authenticated Users’ permission but does have a ‘Domain Computers’ permission” -ForegroundColor Yellow
} #end of else (-not $DomComp)
} #end of if (-not $AuthUser)
elseif (($AuthUser.Permission -ne “GpoApply”) -and ($AuthUser.Permission -ne “GpoRead”)) {
#COMMENT OUT THE BELOW LINE TO REDUCE OUTPUT!
Write-Host “INFORMATION: $($GPO.DisplayName) ($($GPO.Id)) has an ‘Authenticated Users’ permission that isn’t ‘GpoApply’ or ‘GpoRead'” -ForegroundColor Yellow
} #end of elseif (($AuthUser.Permission -ne “GpoApply”) -or ($AuthUser.Permission -ne “GpoRead”))
else {
#COMMENT OUT THE BELOW LINE TO REDUCE OUTPUT!
Write-Output “INFORMATION: $($GPO.DisplayName) ($($GPO.Id)) has an ‘Authenticated Users’ permission”
} #end of else (-not $AuthUser)
} #end of foreach ($GPO in $GPOs)
} #end of if ($GPOs)
From: https://blogs.technet.microsoft.com/poshchap/2016/06/16/ms16-072-known-issue-use-powershell-to-check-gpos/
And then manually add the permission one by one a necessary.
Active 1 day ago
Thanks but it is the manual permissions I am questioning..... please see the question.....
Active 1 day ago
If you have a GPO targeted at a group named lets say "Finance-Users" you still need to add Authenticated Users under delegation with "Read" only selected (Deselect "Apply Group Policy" under Authenticated users)
If you need the policy to work for all authenticated users then you need to set both "Read" and "Apply Group Policy"
You do not need to add "Write" permissions etc to Authenticated users (Not recommended ever on authenticated users)
If you need the policy to work for all authenticated users then you need to set both "Read" and "Apply Group Policy"
You do not need to add "Write" permissions etc to Authenticated users (Not recommended ever on authenticated users)
Active 1 day ago
That is where the questions come in on manually fixing it. You are saying at the very least, under the delegation tab, that every GPO should have Authenticated Users, Read, checked and if it is targeting the Group Authenticated Users Apply Group Policy should be checked too?
Active 1 day ago
Yes correct. So just to keep it simple.
If targeting specific groups, you need authenticated users added under delegation, but only the "Read" option should be allowed. Remove allow on all other area's
If the target is Authenticated Users, then this box & the Apply Group Policy should both be allowed.
If the Apply Group Policy is not allowed, then "Authenticated Users" would not show under the target scope on the GPO post creating it, and the policy will not work for anyone.
To test run gpresult /r /scope:computer on a workstation where a item targeted policy is not applying & check that it shows with an error such as "Error unknown" or "GPO Denied"
Then on Group Policy add Authenticated Users with Read only to that GPO, go back to workstation, reboot and run gpresult /r /scope:computer again. (You can leave the /scope:computer out if the policy is user based.)
If targeting specific groups, you need authenticated users added under delegation, but only the "Read" option should be allowed. Remove allow on all other area's
If the target is Authenticated Users, then this box & the Apply Group Policy should both be allowed.
If the Apply Group Policy is not allowed, then "Authenticated Users" would not show under the target scope on the GPO post creating it, and the policy will not work for anyone.
To test run gpresult /r /scope:computer on a workstation where a item targeted policy is not applying & check that it shows with an error such as "Error unknown" or "GPO Denied"
Then on Group Policy add Authenticated Users with Read only to that GPO, go back to workstation, reboot and run gpresult /r /scope:computer again. (You can leave the /scope:computer out if the policy is user based.)
Active 1 day ago
OK. I corrected the Delegation but still no luck. GPRESULT /H on this workstations shows none of the GPOs linked to the Computers OU as being either Applied or Denied. Screen shot and GPRESULT attached,
Capture.PNG
gpresult.html
Capture.PNG
gpresult.html
Active 1 day ago
Just on a side note. Computer GPO's do not show on GPRESULT /R It shows User Settings only.
You need to run GPRESULT /R /SCOPE:COMPUTER from an elevated CMD Prompt, if running it from client side in order to view the Computer Settings. But that's different from the GPO Results wizard attached here.
It looks from screenshot that Computer objects focused GPO's are set under SBSComputers correct.
Can you confirm that the computer which you ran the wizard against is in this OU.
In addition can you confirm if this problem applies to all systems tested, or only this one single computer please.
And finally did you check this after waiting for replication to finish. It can take some time unless you manually kicked of replication.
You need to run GPRESULT /R /SCOPE:COMPUTER from an elevated CMD Prompt, if running it from client side in order to view the Computer Settings. But that's different from the GPO Results wizard attached here.
It looks from screenshot that Computer objects focused GPO's are set under SBSComputers correct.
Can you confirm that the computer which you ran the wizard against is in this OU.
In addition can you confirm if this problem applies to all systems tested, or only this one single computer please.
And finally did you check this after waiting for replication to finish. It can take some time unless you manually kicked of replication.
Featured Post
We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Suggested Solutions
| Title | # Comments | Views | Activity |
|---|---|---|---|
| Azure AD / OAUTH | 2 | 45 | |
| CAL for Disabled accounts | 4 | 57 | |
| Compatibility view list registry key | 1 | 47 | |
| Powershell: Combining a where statement with contains | 2 | 20 |
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Active Directory security has been a hot topic of late, and for good reason. With
90%
of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This Micro Tutorial hows how you can integrate Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease.
The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses
Course of the Month4 days, 21 hours left to enroll
738 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.