GPO - Filtering: Not Applied (Unknown Reason)

dustinkreck · 2016-08-10T18:55:57.000Z

I’ve been working on a particular GPO that doesn’t want to apply itself for a particular user.

Running Group Policy Management on Windows Server 2008 R2

Client is running Windows 7 Pro 64 bit (However this issue happened on multiple computers in the domain)

This is an example of my results after running gpresult /R

After searching many posts on Spiceworks all answer pointed to incorrectly assigning your security groups or not understanding the difference between a user object GPO or a computer object GPO. I triple check my settings and everything was correct.

I also was confused because these GPO’s all worked when I created them, but now had stopped working.

After troubleshooting for a few days I finally came across the answer…

@Microsoft

dustinkreck · 2016-08-10T19:00:18.000Z

After completing the two steps below all my GPO problems went away!!

Since Microsoft added MS16-072: Security update for Group Policy : update to Servers :

“MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer’s security context. This issue is applicable for the following KB articles”

For every GPO with user or group security filtering you must add to the “Delegation” tab “Authenticated users” group with permissions “READ”. Security filtering can stay the same.
For every GPO with Computer security filtering you must add to the “Delegation” tab “Domain Computers” group with permissions “READ”. Security filtering can stay the same.
Credit goes to ‘Luka’ for the fix found here !

Little-Green-Man · 2016-08-10T19:01:11.000Z

This has been a consistent topic that’s been talked about a lot here in the community.

OscarOneEye · 2016-08-10T19:02:48.000Z

Could it be

support.microsoft.com

MS16-072: Security update for Group Policy: June 14, 2016 - Microsoft Support

Resolves a vulnerability in Windows that could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine.

Little-Green-Man · 2016-08-10T19:02:53.000Z

We should sticky the info about MS16-072 & Group Policy Windows

I see a LOT of threads (and I don't get in here as much as I would like), so would it be prudent to post a sticky thread on this particular topic...at least until after a few months go by. https://support.microsoft.com/en-us/kb/3163622

It was even a featured topic in June.

Beware - Known Issues with update kb3159398 Windows

Has anyone had issues with this? It's a GPO security update: https://support.microsoft.com/en-us/kb/3159398 But there are reports of it breaking GPOs. https://community.spiceworks.com/t/504035/16 https://social.technet.microsoft.com/Forums/en-US/e2ebead9-b30d-4789-a151-5c7783dbbe34/patch-tuesday-kb3159398?forum=winserverGP EDIT: MS has said this is BY DESIGN and thus will not be fixed. This link explains why this is happening and how to fix your GPOs so you can apply this update withou…

dustinkreck · 2016-08-10T19:29:46.000Z

I didn’t think to search for the KB article! After all my searches about the problem it was causing I didn’t get any results showing the answer on spiceworks but clearly the issues around the KB is everywhere on spiceworks!

Maybe this post will help someone discover what is causing their issues.

michaeldoyle4505 · 2017-10-31T16:16:42.000Z

Hi Dustin,

Agreed. Does anyone begin by searching for a problem by KB number? If I knew the KB number then I’d already be hot on the trail of the solution, right? Of course that’s not to say that I don’t immediately suspect Microsoft Updates when stuff breaks. In fact, when troubleshooting similar issues, I almost always begin by suspecting Microsoft UpBreaks.