none
Group Policy cannot apply when using security Filtering

    Question

  • Dear all,

    I have a group policy problem about applying the security filtering.
    There are two 2008R2 DC and running the sync mode. (DC 01 and DC 02)
    I create the GPO called "Map Server03 Driver" and link it under the IT Team OU. (the level of OU : xxxx.local>My Company>Corporate Service>IT Team)
    Since I need apply this GPO to one user only, so I setup the filtering and add the user (IT Testing) under the security filtering column.

    After this procedure, when I using the "IT Testing" account to logon the Win 7 PC,  the policy does not work.
    When using gpresult /r to checking the detail, I am not found the GPO "Map Server03 Driver" is applied
    Just the four domain level GPO applied only.

    I try to use "Authenticated Users" instead the "IT Testing" account, this GPO is work normally.

    The "IT Testing" account is under "IT Team" OU

    Anyone can let me know the problem or the is it have a worng procedure in setting up the GPO?

    Thank you.



    Tuesday, July 05, 2016 8:52 AM

Answers

  • Hi,

    This is is know issue/changes in the latest Microsoft KB released.

    Follow this link for detailed information on this - See if this applies to you.

    https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/

    In such cases, you will need to make sure of the following before you deploy the security update:
    1. Check if “Authenticated Users” group read permissions were removed intentionally by the admins. If not, then you should probably add those back. For example, if you do not use any security filtering to target specific group policies to a set of users, you could add “Authenticated Users” back with the default permissions as shown in the example screenshot above.
    2. If the “Authenticated Users” permissions were removed intentionally (security filtering, etc), then as a result of the by-design change in this security update (i.e. to now use the computer’s security context to retrieve user policies), you will need to add the computer account retrieving the group policy object (GPO) to “Read” Group Policy (and not “Apply group policy“).


    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Tuesday, July 05, 2016 9:11 AM
  • > the server not yet install the update MS16-072, why my server still got
    > affect?
     The update affects the client side part of GPOs, so check your Client
    computers, not the server...
     --
    Greetings/Grüße, Martin -
    Mal ein gutes Buch über GPOs lesen? -
    Good or bad GPOs? My blog - http://evilgpo.blogspot.com
    And if IT bothers me? Coke bottle design refreshment -
     
    Tuesday, July 05, 2016 1:21 PM

All replies

  • Hi,

    This is is know issue/changes in the latest Microsoft KB released.

    Follow this link for detailed information on this - See if this applies to you.

    https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/

    In such cases, you will need to make sure of the following before you deploy the security update:
    1. Check if “Authenticated Users” group read permissions were removed intentionally by the admins. If not, then you should probably add those back. For example, if you do not use any security filtering to target specific group policies to a set of users, you could add “Authenticated Users” back with the default permissions as shown in the example screenshot above.
    2. If the “Authenticated Users” permissions were removed intentionally (security filtering, etc), then as a result of the by-design change in this security update (i.e. to now use the computer’s security context to retrieve user policies), you will need to add the computer account retrieving the group policy object (GPO) to “Read” Group Policy (and not “Apply group policy“).


    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Tuesday, July 05, 2016 9:11 AM
  • Check out this thread with similar issue.

    https://social.technet.microsoft.com/Forums/en-US/74312bc7-d34a-4fee-b42a-8d54b4d9a36b/gpos-only-apply-to-authenticated-users-group?forum=winserverDS


    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Tuesday, July 05, 2016 10:22 AM
  • Hi,

    This is is know issue/changes in the latest Microsoft KB released.

    Follow this link for detailed information on this - See if this applies to you.

    https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/

    In such cases, you will need to make sure of the following before you deploy the security update:
    1. Check if “Authenticated Users” group read permissions were removed intentionally by the admins. If not, then you should probably add those back. For example, if you do not use any security filtering to target specific group policies to a set of users, you could add “Authenticated Users” back with the default permissions as shown in the example screenshot above.
    2. If the “Authenticated Users” permissions were removed intentionally (security filtering, etc), then as a result of the by-design change in this security update (i.e. to now use the computer’s security context to retrieve user policies), you will need to add the computer account retrieving the group policy object (GPO) to “Read” Group Policy (and not “Apply group policy“).


    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Dear Jimmy,

    Thanks for your relpy.

    But after check my two 2008R2 DC, the latest update were installed at 20/4/2016, the server not yet install the update MS16-072, why my server still got affect? Is it have another problem or setup problem?

    Thank You

    Tuesday, July 05, 2016 10:33 AM
  • There could be another patch that might be causing it, however try out the script if that is breaking your GPO and it will provide you the results.

    Check the latest patches installed recently and eliminate individually.

    https://blogs.technet.microsoft.com/poshchap/2016/06/16/ms16-072-known-issue-use-powershell-to-check-gpos/

    https://sdmsoftware.com/group-policy-blog/bugs/new-group-policy-patch-ms16-072-breaks-gp-processing-behavior/


    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Tuesday, July 05, 2016 10:38 AM
  • > the server not yet install the update MS16-072, why my server still got
    > affect?
     The update affects the client side part of GPOs, so check your Client
    computers, not the server...
     --
    Greetings/Grüße, Martin -
    Mal ein gutes Buch über GPOs lesen? -
    Good or bad GPOs? My blog - http://evilgpo.blogspot.com
    And if IT bothers me? Coke bottle design refreshment -
     
    Tuesday, July 05, 2016 1:21 PM