Solved

Windows 10 and GPO only applies when "Authenticated Users" is added to Security filtering

Posted on 2016-09-09
6
105 Views
Last Modified: 2016-09-11
So I don't know if I should chalk this up to a "Feature" in windows 10 but I've been having problems with GPO only applying randomly or not at all to users since we started rolling out windows 10. This does not happen with windows 7 or below or 2008.  Has anyone else had this problem? Did Microsoft change the way filters are applied through GPO with windows 10? I updated to the latest windows 10 GPOs thinking mine were outdated and it didn't help til I added that. is this a new "Best Practices" that Microsoft recently put in place and want you to do WMI filtering instead, which I have no clue how to do, or is this just flat out a bug? All my AD replications and every test I ran have come back as good. Is there any other underlying cause that could cause this kind of issue?

Backstory:
The one policy we had was filtered to specific users. After hours of troubleshooting, because it was only happening on 1 of several machines that the user logged into it seemed all to point to a user issue. I was able to replicated the issue with another user I created but not with any other active user including mine. I ran gpupdate several times it always came back with successful, but when I ran gpresult the offending policy wasn't there. like it was ignored completely and not in the folder. I thought some how it got unlinked, checked that. Everything seemed fine, the users who it was filtered to had rights to it. it worked on other computers on the network. So on a hunch I saw all policies that worked had one thing in common, they were only applied to Authenticated users. So while not removing the old settings, I added that in and gpupdate /force. Right away the GPO applied and everything was well, multiple log outs and log in on the computer I tested worked.
0
Comment
Question by:Crossroads305
  • 2
  • 2
  • 2
6 Comments
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 250 total points
ID: 41792263
Microsoft change the way filters are applied through GPO with windows 10?

Microsoft has fundamentally changed the way GPO's applied since MS16-072 (or KB3163622) to prevent a MiTM vulnerability. See the MS PFE blog post here. Since this patch, the computer requires permission to all GPO's whether they contain user or computer settings. Microsoft recommend adding Authenticated Users to the ACL with read access.

The good news is the fix is straight forward. There is a script in the article which you can run to quickly add Authenticated Users to any GPO missing this ACL.

Otherwise check out the TechNet Wiki on top GPO issues here. Assuming you don't have some sort of infrastructure issue most cases can be resolved by one of these common issues.
0
 
LVL 57

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 250 total points
ID: 41792527
It is worth noting that this is not unique to Windows 10. Microsoft changed this in June for all OSes. Don't blame win10.
0
 
LVL 1

Author Comment

by:Crossroads305
ID: 41792901
Intresting, do you know of the KB article that states that?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 57

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 250 total points
ID: 41792907
Learnctx posted those already in his response.
0
 
LVL 17

Accepted Solution

by:
Learnctx earned 250 total points
ID: 41792950
0
 
LVL 1

Author Closing Comment

by:Crossroads305
ID: 41793589
Thanks Guys, this it's really helpful.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question