I stumbled on this gem today.
Basically, if you use Security Filtering on a User GPO, it may not work any more due to Microsoft Patch MS 16-072, which was released on June 14, 2016.
See https://blogs.technet.microsoft.com/askpfeplat/2016/07/05/who-broke-my-user-gpos/
This is an excellent article and explains it very well.
Basically, this Microsoft patch changes the way that GPO's are processed.
In summary:
After applying the appropriate patch to your systems, User group policies are retrieved from SYSVOL differently than before. Prior to the update, domain joined computers used the user’s security context to make the connection and retrieve the policies. After the update is applied, domain joined computers will now retrieve all policies using the computer security context.
What this means is that if you have used Security Filtering on a GPO with User scope, and you do not have "Authenticated Users" in the list of delegates with Read permissions, you need to add "Domain Computers". Otherwise the user's will not get their GPO's.
Also, you need to change the default permissions in GPMC or AGPM for new GPO's, to add this permission.
Basically, if you use Security Filtering on a User GPO, it may not work any more due to Microsoft Patch MS 16-072, which was released on June 14, 2016.
See https://blogs.technet.microsoft.com/askpfeplat/2016/07/05/who-broke-my-user-gpos/
This is an excellent article and explains it very well.
Basically, this Microsoft patch changes the way that GPO's are processed.
In summary:
After applying the appropriate patch to your systems, User group policies are retrieved from SYSVOL differently than before. Prior to the update, domain joined computers used the user’s security context to make the connection and retrieve the policies. After the update is applied, domain joined computers will now retrieve all policies using the computer security context.
What this means is that if you have used Security Filtering on a GPO with User scope, and you do not have "Authenticated Users" in the list of delegates with Read permissions, you need to add "Domain Computers". Otherwise the user's will not get their GPO's.
Also, you need to change the default permissions in GPMC or AGPM for new GPO's, to add this permission.
Comments
Post a Comment