This is a PSA for all Group Policy administrator about MS16-072 that was release yesterday. This patch fixed a man in the middle attack using Group Policy Update however it appears that it has also changed the behavior that Group Policy is applied. If you have a security filtered group policy that are applied to users AND you have also removed “Authenticated Users” group from the GPOÂ then this GPO will no longer apply to the user.
To workaround this problem you can either remove the patch or add “read” permissions to the “Authenticated Users” group back to the GPO. This allows the computer object to read the policy setting and the policy will then work again. As a reminder I stressed back in 2010 that you should never just remove “Authenticated Users” from your GPO’s and that you should instead simply remove the “Apply” permission for the group. See https://www.grouppolicy.biz/2010/05/how-to-apply-a-group-policy-object-to-individual-users-or-computer/
No word yet if this is deliberate change in behavior to fix the man in the middle attack or if this is something that will be fixed.
Update: Thanks to Darren Mar-Elia he had discovered that this was actually a documented change in behavior
MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the machines security context.
RT @alanburchill: MS16-072 may break you User Group Policies: This is a PSA for all Group Policy administrator about M… https://t.co/Bb6P…
RT @alanburchill: MS16-072 may break you User Group Policies: This is a PSA for all Group Policy administrator about M… https://t.co/Bb6P…
RT @alanburchill: MS16-072 may break you User Group Policies: This is a PSA for all Group Policy administrator about M… https://t.co/Bb6P…
RT @alanburchill: MS16-072 may break you User Group Policies: This is a PSA for all Group Policy administrator about M… https://t.co/Bb6P…
RT @alanburchill: MS16-072 may break you User Group Policies: This is a PSA for all Group Policy administrator about M… https://t.co/Bb6P…
Fuck MS16-072 🙁 https://t.co/la5tUKQd9w
RT @alanburchill: MS16-072 may break you User Group Policies: This is a PSA for all Group Policy administrator about M… https://t.co/Bb6P…
Thanks for the heads up. Went through and fixed up my GPO’s that were missing “Authenticated Users” in the delegation tab. Re-added “Authenticated Users” and granted “read”, and left “apply” deselected.
Calvin Chen liked this on Facebook.
Alexandre Cop liked this on Facebook.
RT @alanburchill: MS16-072 may break you User Group Policies: This is a PSA for all Group Policy administrator about M… https://t.co/Bb6P…
Thanks! I have to do this across 15+ clients with a total of 300+ group policies. Powershell, here I come!
CC: Liam, Bek.
Ben Ford liked this on Facebook.
RT @alanburchill: MS16-072 may break you User Group Policies: This is a PSA for all Group Policy administrator about M… https://t.co/Bb6P…
RT @alanburchill: MS16-072 may break you User Group Policies: This is a PSA for all Group Policy administrator about M… https://t.co/Bb6P…
Rodrigo Yamamoto liked this on Facebook.
Phill McSherry liked this on Facebook.
Raheel Akber liked this on Facebook.
Ken Stone liked this on Facebook.
Leigh Bonser
RT @alanburchill: MS16-072 may break you User Group Policies: This is a PSA for all Group Policy administrator about M… https://t.co/Bb6P…
Jacob Murphy liked this on Facebook.
Thiago Everton liked this on Facebook.
Tyler Ng liked this on Facebook.
Thanks for the heads up
@alanburchill Hey, just wanting to check – this update is on both desktop and server. My feelings are that it’s the *server* policy?
RT @alanburchill: MS16-072 may break you User Group Policies: This is a PSA for all Group Policy administrator about M… https://t.co/Bb6P…
RT @alanburchill: MS16-072 may break you User Group Policies: This is a PSA for all Group Policy administrator about M… https://t.co/Bb6P…
RT @alanburchill: MS16-072 may break you User Group Policies: This is a PSA for all Group Policy administrator about M… https://t.co/Bb6P…
RT @alanburchill: MS16-072 may break you User Group Policies: This is a PSA for all Group Policy administrator about M… https://t.co/Bb6P…
Updated – Confirmed that MS16-072 may break your User Group Policies “by-design” https://t.co/pVjBAvPk46
Vitaliy Rykunov liked this on Facebook.
RT @alanburchill: Updated – Confirmed that MS16-072 may break your User Group Policies “by-design” https://t.co/pVjBAvPk46
RT @alanburchill: MS16-072 may break you User Group Policies: This is a PSA for all Group Policy administrator about M… https://t.co/Bb6P…
Muhammad Jahangir Farooq liked this on Facebook.
Coco Salinas liked this on Facebook.
James Williams liked this on Facebook.
RT @alanburchill: MS16-072 may break you User Group Policies: This is a PSA for all Group Policy administrator about M… https://t.co/Bb6P…
RT @alanburchill: Updated – Confirmed that MS16-072 may break your User Group Policies “by-design” https://t.co/pVjBAvPk46
Jevgenijs Geizans liked this on Facebook.
Sencer Demir liked this on Facebook.
RT @alanburchill: Updated – Confirmed that MS16-072 may break your User Group Policies “by-design” https://t.co/pVjBAvPk46
RT @alanburchill: Updated – Confirmed that MS16-072 may break your User Group Policies “by-design” https://t.co/pVjBAvPk46
Nicholas Papalexion liked this on Facebook.
Dmitry Ivakin liked this on Facebook.
“Updated – MS16-072 may break your User Group Policies “by-design— #tech #feedly https://t.co/XSQPZLB38K
Is this only true if you have removed “Authenticated Users” from the delegation tab? At 1st I thought you meant Authenticated users from Security Filter but as I read through it a few more times I understand it as if you have removed “Authenticated User” from the delegation tab you will have problems?
RT @oddmk79: “Updated – MS16-072 may break your User Group Policies “by-design— #tech #feedly https://t.co/XSQPZLB38K
Eric Springer
This is a terrible patch. 15000 plus computers over 100 plus sites and all drive mapping are assigned by gpo using security filtering. So I have to redesign out entire ad structure and group policy objects?? I don’t want authenticated users to apply these policies. I only want the security group designed to apply these policies. What a terrible way to fix a security hole.
It’s not a terrible fix., Best practice would be deligate read permission to authenticated users., unless you put apply group policy option you checked, it won’t apply to everyone. Some cases providing read permission won’t conflict with loop back policy. If we use filter group we should provide read permission to authenticated users. Search for power shell command to provide permission to group. It will solve your problem in one go.
Not Apply, READ! Thats a different permission.
https://sdmsoftware.com/group-policy-blog/bugs/new-group-policy-patch-ms16-072-breaks-gp-processing-behavior/
We win a new simple GP filter. Much easier to use than Loopback or WMI to apply usersettings depending on the Computer, the user logs in.
RT @alanburchill: MS16-072 may break you User Group Policies: This is a PSA for all Group Policy administrator about M… https://t.co/Bb6P…
RT @alanburchill: Updated – Confirmed that MS16-072 may break your User Group Policies “by-design” https://t.co/pVjBAvPk46
RT @oddmk79: “Updated – MS16-072 may break your User Group Policies “by-design— #tech #feedly https://t.co/XSQPZLB38K
@pcs504 Hope this helps – https://t.co/kgQ3k0lDAE
@somahony73 @alanburchill yep… thats the one… thanks, again, microsoft… how does that make it past QA… sort of obvious!
@pcs504 @alanburchill If it was intentional it should have been documented better.
Vijay Kumar Bhudala liked this on Facebook.
Jürgen Pilz liked this on Facebook.
Stanisław Kostka liked this on Facebook.
@somahony73 @alanburchill looks to be intentional… Now updating all our GPO’s to adhere to this new standard………..
Updated – MS16-072 may break your User Group Policies “by-design” https://t.co/33ddp8p9Pj
RT @hereshenry: Updated – MS16-072 may break your User Group Policies “by-design” https://t.co/33ddp8p9Pj
RT @hereshenry: Updated – MS16-072 may break your User Group Policies “by-design” https://t.co/33ddp8p9Pj
RT hereshenry: Updated – MS16-072 may break your User Group Policies “by-design” https://t.co/KcLcsNOlTz
Nice! Thanks Microsoft RT @hereshenry: Updated – MS16-072 may break your User Group Policies “by-design” https://t.co/yvI7suRouL
Shirl Worley liked this on Facebook.
RT @alanburchill: MS16-072 may break you User Group Policies: This is a PSA for all Group Policy administrator about M… https://t.co/Bb6P…
RT @hereshenry: Updated – MS16-072 may break your User Group Policies “by-design” https://t.co/33ddp8p9Pj
RT @hereshenry: Updated – MS16-072 may break your User Group Policies “by-design” https://t.co/33ddp8p9Pj
RT @hereshenry: Updated – MS16-072 may break your User Group Policies “by-design” https://t.co/33ddp8p9Pj
Remote Server Administration Tools for Windows is needed to do this.
This update doesn’t change the default permissions of a gpo so that it adds “authenticated users” with a separate “read” permission. If this update did what it was designed to do, it is obviously a horrible design. Before becoming aware that this update caused an issue, I tried restoring all permissions to default and then removed “authenticated users” from the scope and re-added the user groups I wanted in the scope. This did not resolve the issue and it should have. This update should update the “default permissions” button so it adds a read permission for “authenticated users”, and a separate “apply” permission for “authenticated users” that is removed when you remove “authenticated users” from the scope. Or… changing the scope to only selected user groups should update the “delegated permissions” appropriately so the scope works correctly. I really hope Microsoft is seeing the failure in this release.
Law assignment writing services are essential for law essay writing services and Law Research Writing Services seekers.