Reading Time: 5 minutes
Share:
Twitter
LinkedIn
Facebook
Google+
Reddit
Whatsapp
Follow by Email

Microsoft released this update to fix a man in the middle attack using Group Policy Update, unfortunately it appears that it has also changed the behaviour in how Group Policy is applied. If you use security filtered Group Policy that are applied to users AND you have removed “Authenticated Users” group from the GPO then it will no longer apply to the user. This does not affect GPO’s that are scoped to use computer accounts, as when adding in the computer account or group, you automatically give it the Read permission.

Before we fix the issue it is always good to understand the issue. There is a difference between Group Policy scope and Group Policy permissions. The Scope is a list of who can apply the GPO. The permissions control who can read, write, delete, or modify the permissions of the policy. You can find these permissions on the delegation tab of each policy.

A default GPO will look something like this.

gpoauth2

gpoauth1

As long as “authenticated Users” has read permissions, then the GPO will continue to apply after installing MS16-072/KB3163622. This is because computers are “Authenticated Users”.

A lot of sysadmins remove “Authenticated Users” and use their own users or security groups on the scope tab and before this update, everything would of worked fine.

gpoauth3

On the delegation tab you should see something like this.

gpoauth4

You can see that the user group has the read permission to the GPO, but “Authenticated Users” is gone. No that MS16-072 has been installed we no longer have enough permissions to retrieve the policy from SYSVOL. This is because the computer account is used for this and needs Read access to the policy. In the above picture you can see that none of the groups contain computer accounts.

Most of the time when you use security filtering for users, you want the policy to apply to the users no matter what computer they access. To do this I need to add either the “Authenticated Users” or “Domain Computers” to the delegation tab with the Read permission.

gpoauth5

In the above picture you can see that “Domain Computers” has the Read permission, and you can also see your user group also has Read (from Security Filtering) permission. This tells us the user group is security filtered to apply the GPO from the Scopes tab, and Domain Computers has Read and not Apply permissions

Now you could go through each GPO and make this change manually, or you can use Powershell to add the “Domain Computers” group to the Delegation tab with just read permission.

Just a few things to note:
By default, when a computer is joined to a domain it is automatically added to the “Domain Computers” AD security group. Some sysadmins manually manage the memberships of this group, so it may not contain all your computers. If this is the case use “Authenticated Users”

Here is a very basic script that will give “Domain Computers” the Read permission to all of your Group Polices.

If you want to be more detailed and get a list of GPOs that need fixing you can use this script from Microsoft. There script is set to use “Authenticated users”. I have changed the version below to use “Domain Computers”

Now you have fixed all your group policies, you just have to remember, when making new polices to add in either the “Domain Computers” or the “Authenticated Users” and give them the read permission.

One finale note!

If you use the Deny:Read permissions then you will also need to add the Denay:Apply permission too. This is because the read is now done via the computer account and not the users account.

gpoauth6

Share:
Twitter
LinkedIn
Facebook
Google+
Reddit
Whatsapp
Follow by Email

Pixel Robots.

I’m Richard Hooper aka Pixel Robots. I started this blog in 2016 for a couple reasons. The first reason was basically just a place for me to store my step by step guides, troubleshooting guides and just plain ideas about being a sysadmin. The second reason was to share what I have learned and found out with other people like me. Hopefully, you can find something useful on the site.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

I agree