Microsft has just published a post about the MS16-072 hotfix that was release this month. Needless to say there has been a lot of organisation caught off guard by this change wanting to know how to fix the problem. However what is also more confusing is there are actaully two different ways to fix this problem. You can either add back the “Authenticated Users” group with “Read” access or you can add the “Domain Computers” group with read access.
There has alsoÂ been a lot of debate in the Group Policy communityÂ about what is the “best” way to fix this problem. Should you add “Authenticated Users” or “Domain Computers”? Personally i think adding “Authenticated Users” read permission back is the way to do it as this restores the original permission that was removed in the first place.Â It also means the permission applied to you GPO’s will be consistent which is always highly desirable attribute for supporting any envrionmnet.Â However, you mightÂ have someÂ settingsÂ in your GPO that you want to obfuscate from the users. If this is the case then adding “Domain Comptuers” read access is also totally valid. DoingÂ for security filters user Group Policy Objects will mean that that normal users will not be able to read the settings. But,Â be absolutley clearÂ this will only obfuscates the GPO settings, as a local admin could still conceviable run the as the local machine system account and read the settings. Yes it is a way to hide your organisations settings from a bag guy, but it also might make troubleshooting GPO polices harder as non-domain admins will no longer be able to see all the GPO’s.
Ultimatly it is your decision as to how you want to fix the problem. Either add “Autenticated Users” or “Domain Computers” but either way, make sure you review all your security filtered Group Policy Objects to make sure the permission are added to the GPO so they work.