How to fix broken GPO because of MS16-072

So as many of you may know, yesterday Microsoft released a security hotfix that changed the behavior of Group Policy. Put simply if you have a security group filtered User Group Policy Object and you also removed the “Authenticated Users” group from the policy it will no longer apply after you install MS16-072.

In light of this Ian Farr from Microsoft has released a PowerShell script that identifies all the Group Policy Objects that have “Authenticated Users” removed. It is important to note that not all of the GPO’s are necessarily affected, only the ones that are applied to AD user objects.


In addition to this Microsoft also released a KB outlining the issues and what can be done manually to fix the problem.


Finally, fellow Group Policy MVP Darren Mar-Elia has released a PowerShell script of his own that adds back the “Authenticated Users” read permission to the GPO’s that are missing the permission.


The key take away from this is that it certainly appears that this is going to be a permanent change with how security group filtered GPO’s apply. So going forward be aware that it more than just a Bad Idea to do remove “Authenticated Users”, it could down right break the GPO.



Author: Alan Burchill

Microsoft MVP (Group Policy)

43 thoughts on “How to fix broken GPO because of MS16-072

Leave a Reply