How to fix broken GPO because of MS16-072

So as many of you may know, yesterday Microsoft released a security hotfix that changed the behavior of Group Policy. Put simply if you have a security group filtered User Group Policy Object and you also removed the “Authenticated Users” group from the policy it will no longer apply after you install MS16-072.

In light of this Ian Farr from Microsoft has released a PowerShell script that identifies all the Group Policy Objects that have “Authenticated Users” removed. It is important to note that not all of the GPO’s are necessarily affected, only the ones that are applied to AD user objects.

See https://blogs.technet.microsoft.com/poshchap/2016/06/16/ms16-072-known-issue-use-powershell-to-check-gpos/

In addition to this Microsoft also released a KB outlining the issues and what can be done manually to fix the problem.

See https://support.microsoft.com/en-sg/kb/3163622

Finally, fellow Group Policy MVP Darren Mar-Elia has released a PowerShell script of his own that adds back the “Authenticated Users” read permission to the GPO’s that are missing the permission.

See https://sdmsoftware.com/group-policy-blog/bugs/new-group-policy-patch-ms16-072-breaks-gp-processing-behavior/

The key take away from this is that it certainly appears that this is going to be a permanent change with how security group filtered GPO’s apply. So going forward be aware that it more than just a Bad Idea to do remove “Authenticated Users”, it could down right break the GPO.

 

42 Comments

Leave a Reply

Your email address will not be published.