Solved

Windows 10 and GPO only applies when "Authenticated Users" is added to Security filtering

Posted on 2016-09-09
6
74 Views
Last Modified: 2016-09-11
So I don't know if I should chalk this up to a "Feature" in windows 10 but I've been having problems with GPO only applying randomly or not at all to users since we started rolling out windows 10. This does not happen with windows 7 or below or 2008.  Has anyone else had this problem? Did Microsoft change the way filters are applied through GPO with windows 10? I updated to the latest windows 10 GPOs thinking mine were outdated and it didn't help til I added that. is this a new "Best Practices" that Microsoft recently put in place and want you to do WMI filtering instead, which I have no clue how to do, or is this just flat out a bug? All my AD replications and every test I ran have come back as good. Is there any other underlying cause that could cause this kind of issue?

Backstory:
The one policy we had was filtered to specific users. After hours of troubleshooting, because it was only happening on 1 of several machines that the user logged into it seemed all to point to a user issue. I was able to replicated the issue with another user I created but not with any other active user including mine. I ran gpupdate several times it always came back with successful, but when I ran gpresult the offending policy wasn't there. like it was ignored completely and not in the folder. I thought some how it got unlinked, checked that. Everything seemed fine, the users who it was filtered to had rights to it. it worked on other computers on the network. So on a hunch I saw all policies that worked had one thing in common, they were only applied to Authenticated users. So while not removing the old settings, I added that in and gpupdate /force. Right away the GPO applied and everything was well, multiple log outs and log in on the computer I tested worked.
0
Comment
Question by:Crossroads305
  • 2
  • 2
  • 2
6 Comments
 
LVL 16

Assisted Solution

by:Learnctx
Learnctx earned 250 total points
ID: 41792263
Microsoft change the way filters are applied through GPO with windows 10?

Microsoft has fundamentally changed the way GPO's applied since MS16-072 (or KB3163622) to prevent a MiTM vulnerability. See the MS PFE blog post here. Since this patch, the computer requires permission to all GPO's whether they contain user or computer settings. Microsoft recommend adding Authenticated Users to the ACL with read access.

The good news is the fix is straight forward. There is a script in the article which you can run to quickly add Authenticated Users to any GPO missing this ACL.

Otherwise check out the TechNet Wiki on top GPO issues here. Assuming you don't have some sort of infrastructure issue most cases can be resolved by one of these common issues.
0
 
LVL 56

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 250 total points
ID: 41792527
It is worth noting that this is not unique to Windows 10. Microsoft changed this in June for all OSes. Don't blame win10.
0
 
LVL 1

Author Comment

by:Crossroads305
ID: 41792901
Intresting, do you know of the KB article that states that?
0
 
LVL 56

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 250 total points
ID: 41792907
Learnctx posted those already in his response.
0
 
LVL 16

Accepted Solution

by:
Learnctx earned 250 total points
ID: 41792950
0
 
LVL 1

Author Closing Comment

by:Crossroads305
ID: 41793589
Thanks Guys, this it's really helpful.
0

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now