Microsoft released this update to fix a man in the middle attack using Group Policy Update, unfortunately it appears that it has also changed the behaviour in how Group Policy is applied. If you use security filtered Group Policy that are applied to users AND you have removed “Authenticated Users” group from the GPO then it will no longer apply to the user. This does not affect GPO’s that are scoped to use computer accounts, as when adding in the computer account or group, you automatically give it the Read permission.
Before we fix the issue it is always good to understand the issue. There is a difference between Group Policy scope and Group Policy permissions. The Scope is a list of who can apply the GPO. The permissions control who can read, write, delete, or modify the permissions of the policy. You can find these permissions on the delegation tab of each policy.
A default GPO will look something like this.
As long as “authenticated Users” has read permissions, then the GPO will continue to apply after installing MS16-072/KB3163622. This is because computers are “Authenticated Users”.
A lot of sysadmins remove “Authenticated Users” and use their own users or security groups on the scope tab and before this update, everything would of worked fine.
On the delegation tab you should see something like this.
You can see that the user group has the read permission to the GPO, but “Authenticated Users” is gone. No that MS16-072 has been installed we no longer have enough permissions to retrieve the policy from SYSVOL. This is because the computer account is used for this and needs Read access to the policy. In the above picture you can see that none of the groups contain computer accounts.
Most of the time when you use security filtering for users, you want the policy to apply to the users no matter what computer they access. To do this I need to add either the “Authenticated Users” or “Domain Computers” to the delegation tab with the Read permission.
In the above picture you can see that “Domain Computers” has the Read permission, and you can also see your user group also has Read (from Security Filtering) permission. This tells us the user group is security filtered to apply the GPO from the Scopes tab, and Domain Computers has Read and not Apply permissions
Now you could go through each GPO and make this change manually, or you can use Powershell to add the “Domain Computers” group to the Delegation tab with just read permission.
Just a few things to note:
By default, when a computer is joined to a domain it is automatically added to the “Domain Computers” AD security group. Some sysadmins manually manage the memberships of this group, so it may not contain all your computers. If this is the case use “Authenticated Users”
Here is a very basic script that will give “Domain Computers” the Read permission to all of your Group Polices.
1 2 3 4 5 6 7 |
Import-Module GroupPolicy $gpos = get-gpo -all foreach ($gpo in $gpos) { Set-GPPermissions -Name $gpo.DisplayName -PermissionLevel GpoRead -TargetName “Domain Computers” -TargetType Group } |
If you want to be more detailed and get a list of GPOs that need fixing you can use this script from Microsoft. There script is set to use “Authenticated users”. I have changed the version below to use “Domain Computers”
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 |
# Copyright (C) Microsoft Corporation. All rights reserved. $osver = [System.Environment]::OSVersion.Version $win7 = New-Object System.Version 6, 1, 7601, 0 if($osver -lt $win7) { Write-Error "OS Version is not compatible for this script. Please run on Windows 7 or above" return } Try { Import-Module GroupPolicy } Catch { Write-Error "GP Management tools may not be installed on this machine. Script cannot run" return } $arrgpo = New-Object System.Collections.ArrayList foreach ($loopGPO in Get-GPO -All) { if ($loopGPO.User.Enabled) { $AuthPermissionsExists = Get-GPPermissions -Guid $loopGPO.Id -All | Select-Object -ExpandProperty Trustee | ? {$_.Name -eq "Domain Computers"} If (!$AuthPermissionsExists) { $arrgpo.Add($loopGPO) | Out-Null } } } if($arrgpo.Count -eq 0) { echo "All Group Policy Objects grant access to 'Domain Computers'" return } else { Write-Warning "The following Group Policy Objects do not grant any permissions to the 'Domain Computers' group:" foreach ($loopGPO in $arrgpo) { write-host "'$($loopgpo.DisplayName)'" } } $title = "Adjust GPO Permissions" $message = "The Group Policy Objects (GPOs) listed above do not have the Domain Computers group added with any permissions. Group policies may fail to apply if the computer attempting to list the GPOs required to download does not have Read Permissions. Would you like to adjust the GPO permissions by adding Domain Computers group Read permissions?" $yes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes", ` "Adds Domain Computers group to all user GPOs which don't have 'Read' permissions" $no = New-Object System.Management.Automation.Host.ChoiceDescription "&No", ` "No Action will be taken. Some Group Policies may fail to apply" $options = [System.Management.Automation.Host.ChoiceDescription[]]($yes, $no) $result = $host.ui.PromptForChoice($title, $message, $options, 0) $appliedgroup = $null switch ($result) { 0 {$appliedgroup = "Domain Computers"} 1 {$appliedgroup = $null} } If($appliedgroup) { foreach($loopgpo in $arrgpo) { write-host "Adding 'Read' permissions for '$appliedgroup' to the GPO '$($loopgpo.DisplayName)'." Set-GPPermissions -Guid $loopgpo.Id -TargetName $appliedgroup -TargetType group -PermissionLevel GpoRead | Out-Null } } |
Now you have fixed all your group policies, you just have to remember, when making new polices to add in either the “Domain Computers” or the “Authenticated Users” and give them the read permission.
One finale note!
If you use the Deny:Read permissions then you will also need to add the Denay:Apply permission too. This is because the read is now done via the computer account and not the users account.
[AdSense-A]
0 Comments