Link to MS16-072 \ KB3163622
An FYI to anyone who uses GPO Filtering and has not read the above article (MS16-072 \ KB3163622).
Issues
After installing this patch, GPO filtering may fail (depending on how you have it setup).
If you have applied this patch, almost anything you read on setting up Security Filtering is now out of date - and will make you doubt your sanity!
Reason
Previously in GPO Security Filtering, in simple terms, all you had to do for a USER filter is create an AD Group, add the users to the group and then apply this group to the GPO Security Filtering Section.
After the above update, COMPUTERS must also be given access to READ the policy before the USER policy can be applied to users. i.e. if the computer the user is logged onto cannot access the GPO to read it, the GPO is skipped in it’s entirety.
If you perform GPRESULTS /R as the user, you will find that the (previously working) GPO is not listed under “Applied Group Policy Objects”.
Also, there may be nothing obvious under “The following GPO’s were filtered out” which threw me at first, or a message such as “Filtering: Not Applied (unknown reason)”
Resolution
Authenticated users group is not affected as this applies to computers or users.
For any filter based solely on an AD Group based on Users, either add the computer accounts directly to the Security Filtering section or crate a Computer AD Group and apply this to the Security Filtering section.
Remember to reboot your PC’s after adding them to an AD Group for the filtering to work
Hopefully this will answer questions for those either:-
-
Wondering (like me) why security Filtering no longer works (yet it did previously)
-
Why everything they read on USER filtering does not work
Although this was released in June 2016, I have so few filters that I have only just come across this issue.
G
