0

I have a Server 2008 R2 Domain with quite a few Group Policy Objects that should be applied to various OUs and security groups (Using security filtering).

I got reports from users that they were missing certain settings and things like mapped drives. When I started investigating the problem, I found that almost every single GPO in our domain has simply stopped being applied.

There are a few GPOs (Like the default domain policy) that are still being applied, and it looks like the one thing they have in common is that these policies are all applied to the 'Authenticated Users' builtin group. Whereas all other GPOs use security filtering on various other security groups.

I have run lots of RSOP tests (Planning and Logging) which both show that only the GPOs applied to 'Authenticated Users' are being run. The other GPOs don't even show up under the "GPOs that were not applied ..." section of gpresult. I have checked permissions, GPO inheritance, and a few other basic but common GPO problems, all of which seem fine. I tried creating a some brand new GPOs, and applying them to brand new security groups, however these were also not applied.

I have not noticed any other issues with Active Directory, authentication against these security groups for other functions (such as file permissions) all seem to be working as expected.

I'm at a total loss to explain why these GPOs just suddenly stopped getting applied, for no apparent reason. Does anyone have any ideas what might be going on, or how to continue troubleshooting?

blacklight
  • 1,389
  • 1
  • 10
  • 19

1 Answers1

1

It is an issue with MS16-072. All user GPO's must have at least read permission for Authenticated Users.

https://support.microsoft.com/en-us/kb/3163622

MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context.

Symptoms

All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.

Cause

This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.

Resolution

To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and use one of the following steps:

  • Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
  • If you are using security filtering, add the Domain Computers group with read permission.
Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • To be clear, Domain Computers must have Read permissions to the GPO's. It's not necessary to grant Authenticated Users Read permissions to the GPO's. – joeqwerty Jun 22 '16 at 11:23
  • Thanks Joe, I came to that conclusion after reading the Microsoft notes. I have a better understanding now about how the security context is used for GPOs. Much appreciated. – blacklight Jun 22 '16 at 11:25
  • Authenticated Users have Read permission by default, and the most orthodox way of doing it. It may achieve the same result, but only allows computers from the specified domain to read the GPO, as opposed to allowing any authenticated user or computer in any domain. – Greg Askew Jun 22 '16 at 11:35