So as many of you may know, yesterday Microsoft released a security hotfix that changed the behavior of Group Policy. Put simply if you have a security group filtered User Group Policy Object and you also removed the “Authenticated Users” group from the policy it will no longer apply after you install MS16-072.
In light of this Ian Farr from Microsoft has released a PowerShell script that identifies all the Group Policy Objects that have “Authenticated Users” removed. It is important to note that not all of the GPO’s are necessarily affected, only the ones that are applied to AD user objects.
In addition to this Microsoft also released a KB outlining the issues and what can be done manually to fix the problem.
See https://support.microsoft.com/en-sg/kb/3163622
Finally, fellow Group Policy MVP Darren Mar-Elia has released a PowerShell script of his own that adds back the “Authenticated Users” read permission to the GPO’s that are missing the permission.
The key take away from this is that it certainly appears that this is going to be a permanent change with how security group filtered GPO’s apply. So going forward be aware that it more than just a Bad Idea to do remove “Authenticated Users”, it could down right break the GPO.
RT @alanburchill: How to fix broken GPO’s because of MS16-072 https://t.co/dllMXkrlJn
RT @alanburchill: How to fix broken GPO’s because of MS16-072 https://t.co/dllMXkrlJn
Nuno Araújo liked this on Facebook.
MÃcheál Ó Briain liked this on Facebook.
Aaron Young liked this on Facebook.
Calvin Chen liked this on Facebook.
Shirl Worley liked this on Facebook.
RT @alanburchill: How to fix broken GPO’s because of MS16-072 https://t.co/dllMXkrlJn
Jose KoLo liked this on Facebook.
Marshall Reid Griffey liked this on Facebook.
RT @alanburchill: How to fix broken GPO’s because of MS16-072 https://t.co/dllMXkrlJn
Tyler Ng liked this on Facebook.
Fei Lai liked this on Facebook.
RT @alanburchill: How to fix broken GPO’s because of MS16-072 https://t.co/dllMXkrlJn
Derek Thompson liked this on Facebook.
Dinesh Kumar liked this on Facebook.
Joseph Ortega liked this on Facebook.
Larbi Mannai liked this on Facebook.
Muhammad Jahangir Farooq liked this on Facebook.
Brent Dorrington liked this on Facebook.
Darren Mar-Elia liked this on Facebook.
Tomas Lepa liked this on Facebook.
William Ng liked this on Facebook.
Dmitry Antonov liked this on Facebook.
Sheila Brooks Klein liked this on Facebook.
John Forth liked this on Facebook.
RT @alanburchill: How to fix broken GPO’s because of MS16-072 https://t.co/dllMXkrlJn
RT @alanburchill: How to fix broken GPO’s because of MS16-072 https://t.co/dllMXkrlJn
Alaa Eldin liked this on Facebook.
Brian Booher liked this on Facebook.
Thiago Everton liked this on Facebook.
Stanislav Koval liked this on Facebook.
How to broken GPO because of MS16-072 https://t.co/9WugsXz2GG
RT @alanburchill: How to fix broken GPO’s because of MS16-072 https://t.co/dllMXkrlJn
Santiago Buitrago liked this on Facebook.
Vijay Kumar Bhudala liked this on Facebook.
Jürgen Pilz liked this on Facebook.
Group Policy broken due to MS16-072! https://t.co/SEllra6gql
Ken Stone liked this on Facebook.
After MS16-072 update, User GPO may not work anymore after you removed the Authenticated User group https://t.co/Gv3woVC7ME #cybersecurity
RT @GizmeeTech: After MS16-072 update, User GPO may not work anymore after you removed the Authenticated User group https://t.co/Gv3woVC7ME…
RT @GizmeeTech: After MS16-072 update, User GPO may not work anymore after you removed the Authenticated User group https://t.co/Gv3woVC7ME…