Microsoft
released a series of patches that broke user group policies. Below is a snippet
from the TechNet blog at https://blogs.technet.microsoft.com/askpfeplat/2016/07/05/who-broke-my-user-gpos/.
We released new security patches for all currently supported
Operating Systems. Among those patches was this one: MS 16-072, which is also referenced as KB 3163622. OS Specific articles are released as
3159398, 3163017, 3163018, and 3163016.
KB 3159398 – Vista, 2008, 7, 2008 R2, 2012, 8.1,
2012 R2
KB 3163017 – Windows 10 TH1
KB 3163018 – Windows 10 TH2 and Server 2016 TP4
KB 3163016 – Server 2016 TP5
KB 3163017 – Windows 10 TH1
KB 3163018 – Windows 10 TH2 and Server 2016 TP4
KB 3163016 – Server 2016 TP5
NOTE: The AskDS blog also has some excellent content out there
on this topic that can be found here.
After applying the appropriate patch to your systems, User group
policies are retrieved from SYSVOL differently than before. Prior to the
update, domain joined computers used the user’s
security context
to make the connection and retrieve the policies. After the update is applied, domain joined computers will
now retrieve all policies using the computer
security context.
The users that get the policy is still controlled by the policy scope just like
before. The only change is the computer is getting the policy for the user.
Ones that
still had the default security scope of “authenticated users” typically still
worked because that also grants the permission to any domain authenticated
computers.
To work
around this change, the computer account will need “read” access to all GPOs in
order to evaluate whether the user policies are applicable. I used group policy
to grant the “domain computers” group read access to all existing group
policies, and modified the security descriptor in the defaultSecurityDescriptor
property of the CN=Group-Policy-Container object in the AD schema so that new
policies will get this permission by default. I have tested this and it seems
to have fixed the issue in new and existing group policies. I originally
thought this may be directly related to Windows 10 being that’s where I was
seeing it, but I guess not. If you have had issues with user group policies
lately, this was probably the problem.
Below is exactly what I did to fix the issue.
From an elevated PowerShell prompt I ran:
Set-GPPermissions -all -PermissionLevel GpoRead -TargetName “Domain Computers” -TargetType Group
Set-GPPermissions -all -PermissionLevel GpoRead -TargetName “Domain Computers” -TargetType Group
That grants the "domain computers" group read permissions to all of the existing group policies. This will not remove any other permissions that were already granted to that group.
Next I logged in to the domain controller that holds the operations master role. From there you can open ADSIedit and connect to the schema naming context. Find the CN=Group-Policy-Container object, right-click and click properties. Locate the defaultSecurityDescriptor attribute, and click edit. Append (A;CI;LCRPLORC;;;DC) to the end of that string. This will grant the "domain computers" group read access to any new group policies that are created in the domain.
