Windows 10 and GPO only applies when "Authenticated Users" is added to Security filtering

So I don't know if I should chalk this up to a "Feature" in windows 10 but I've been having problems with GPO only applying randomly or not at all to users since we started rolling out windows 10. This does not happen with windows 7 or below or 2008.  Has anyone else had this problem? Did Microsoft change the way filters are applied through GPO with windows 10? I updated to the latest windows 10 GPOs thinking mine were outdated and it didn't help til I added that. is this a new "Best Practices" that Microsoft recently put in place and want you to do WMI filtering instead, which I have no clue how to do, or is this just flat out a bug? All my AD replications and every test I ran have come back as good. Is there any other underlying cause that could cause this kind of issue?

Backstory:
The one policy we had was filtered to specific users. After hours of troubleshooting, because it was only happening on 1 of several machines that the user logged into it seemed all to point to a user issue. I was able to replicated the issue with another user I created but not with any other active user including mine. I ran gpupdate several times it always came back with successful, but when I ran gpresult the offending policy wasn't there. like it was ignored completely and not in the folder. I thought some how it got unlinked, checked that. Everything seemed fine, the users who it was filtered to had rights to it. it worked on other computers on the network. So on a hunch I saw all policies that worked had one thing in common, they were only applied to Authenticated users. So while not removing the old settings, I added that in and gpupdate /force. Right away the GPO applied and everything was well, multiple log outs and log in on the computer I tested worked.
LVL 1
Crossroads305Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LearnctxEngineerCommented:
Microsoft change the way filters are applied through GPO with windows 10?

Microsoft has fundamentally changed the way GPO's applied since MS16-072 (or KB3163622) to prevent a MiTM vulnerability. See the MS PFE blog post here. Since this patch, the computer requires permission to all GPO's whether they contain user or computer settings. Microsoft recommend adding Authenticated Users to the ACL with read access.

The good news is the fix is straight forward. There is a script in the article which you can run to quickly add Authenticated Users to any GPO missing this ACL.

Otherwise check out the TechNet Wiki on top GPO issues here. Assuming you don't have some sort of infrastructure issue most cases can be resolved by one of these common issues.
0
Cliff GaliherCommented:
It is worth noting that this is not unique to Windows 10. Microsoft changed this in June for all OSes. Don't blame win10.
0
Crossroads305Author Commented:
Intresting, do you know of the KB article that states that?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Cliff GaliherCommented:
Learnctx posted those already in his response.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Crossroads305Author Commented:
Thanks Guys, this it's really helpful.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.