Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Windows 10 and GPO only applies when "Authenticated Users" is added to Security filtering

Posted on 2016-09-09
6
Medium Priority
?
229 Views
Last Modified: 2016-09-11
So I don't know if I should chalk this up to a "Feature" in windows 10 but I've been having problems with GPO only applying randomly or not at all to users since we started rolling out windows 10. This does not happen with windows 7 or below or 2008.  Has anyone else had this problem? Did Microsoft change the way filters are applied through GPO with windows 10? I updated to the latest windows 10 GPOs thinking mine were outdated and it didn't help til I added that. is this a new "Best Practices" that Microsoft recently put in place and want you to do WMI filtering instead, which I have no clue how to do, or is this just flat out a bug? All my AD replications and every test I ran have come back as good. Is there any other underlying cause that could cause this kind of issue?

Backstory:
The one policy we had was filtered to specific users. After hours of troubleshooting, because it was only happening on 1 of several machines that the user logged into it seemed all to point to a user issue. I was able to replicated the issue with another user I created but not with any other active user including mine. I ran gpupdate several times it always came back with successful, but when I ran gpresult the offending policy wasn't there. like it was ignored completely and not in the folder. I thought some how it got unlinked, checked that. Everything seemed fine, the users who it was filtered to had rights to it. it worked on other computers on the network. So on a hunch I saw all policies that worked had one thing in common, they were only applied to Authenticated users. So while not removing the old settings, I added that in and gpupdate /force. Right away the GPO applied and everything was well, multiple log outs and log in on the computer I tested worked.
0
Comment
Question by:Crossroads305
  • 2
  • 2
  • 2
6 Comments
 
LVL 18

Assisted Solution

by:Learnctx
Learnctx earned 1000 total points
ID: 41792263
Microsoft change the way filters are applied through GPO with windows 10?

Microsoft has fundamentally changed the way GPO's applied since MS16-072 (or KB3163622) to prevent a MiTM vulnerability. See the MS PFE blog post here. Since this patch, the computer requires permission to all GPO's whether they contain user or computer settings. Microsoft recommend adding Authenticated Users to the ACL with read access.

The good news is the fix is straight forward. There is a script in the article which you can run to quickly add Authenticated Users to any GPO missing this ACL.

Otherwise check out the TechNet Wiki on top GPO issues here. Assuming you don't have some sort of infrastructure issue most cases can be resolved by one of these common issues.
0
 
LVL 59

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 1000 total points
ID: 41792527
It is worth noting that this is not unique to Windows 10. Microsoft changed this in June for all OSes. Don't blame win10.
0
 
LVL 1

Author Comment

by:Crossroads305
ID: 41792901
Intresting, do you know of the KB article that states that?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 59

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 1000 total points
ID: 41792907
Learnctx posted those already in his response.
0
 
LVL 18

Accepted Solution

by:
Learnctx earned 1000 total points
ID: 41792950
0
 
LVL 1

Author Closing Comment

by:Crossroads305
ID: 41793589
Thanks Guys, this it's really helpful.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
The article covers five tools all IT professionals should know about, as they up productivity by a great deal!
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question