How to solve Know Issue on MS16-072

Microsoft release MS16-072: Security update for Group Policy: June 14, 2016

MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer’s security context.

The issue was that all user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.

Resolution:
To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:

  • Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
  • If you are using security filtering, add the Domain Computers group with read permission.

 

Doing that manually it’s a nightmare… but powershell can help. With this script you can deploy ‘Read’ permission for “Authenticated Users” on all GPOs or only where needed because “Domain Computers” group with ‘read’ permission and/or it’s a “Per-User Setting” GPO. If you what to be restrictive, enable -checkDomainComputer and -checkPerUserSetting.

Via: https://support.microsoft.com/en-us/kb/3163622

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s