Avantgarde Technologies
Quick Links:
Recently a client of mine advised they had a few issues with their GPOs suddenly not applying. After looking through what the issue could be, we added Authenticated Users to the permissions list and gave them ‘read’ permissions. This suddenly resolved the issue.
Authenticated Users didn’t have permission before, as it was locked down by Security Group. I hadn’t made any changes to the GPO and neither had the IT team onsite. This prompted me to look into this further.
Upon investigation, I found that this was caused by a Windows Update (https://support.microsoft.com/en-us/kb/3163622). The update details are the following:
MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer’s security context. This issue is applicable for the following KB articles:
All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.
This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.
To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:
