by butsch
20. June 2016 21:51
Important change for all GPO-Admin | Change in way GPO's are applied and filtered.
The Windows Updates JUNE 2016 bring up a change in how POLICY GPO (Gruppenrichtlinien) should be filtered to Active Directory Security Groups. You can't anymore JUST remove "Authenticated users" and add a security group under Security Filtering. The Policy will not pull because Microsoft has changed the concept.
German:
GPO welche auf Usergruppen gefiltert
sind gehen nach dem Update der Patche nicht mehr wenn Authenticatedusers oder Domaincomputers KEIN read unter Delegation hat.
June 2016 Patches:
KB 3163018 | KB 314913 | KB 3159398 |
https://social.technet.microsoft.com/Forums/en-US/e2ebead9-b30d-4789-a151-5c7783dbbe34/patch-tuesday-kb3159398?forum=winserverGP
http://www.gruppenrichtlinien.de/artikel/sicherheitsfilterung-neu-erfunden-ms16-072-patchday-14062016/
This is a normal policy which is not affected by the patches:
Please make a backup of your GPO before changing anything:
Here so see one where we removed the "Authenticated Users" or "Authentifizierte Benutzer" and this needs to get corrected. Leave it as IT IS under security filtering. The place to change it would be under Delegation.
First How NOT to do it (> This would make the POLICY PULL for all!)
Correct way to make it June 2016 Patchday compatible
Make a backup of the GPO before you even think about changing it!
Powershell from listed by Stepan Kokhanovskiy on Social MSDN
I changed this to a READ only and LIST only version so you can check first if you have SUCH GPO's
|
$DebugPreference = 'Continue'
Write-Debug "Get list of the all group policy objects in the domain."
$AllGpo = Get-GPO -All | Sort-Object -Property 'DisplayName'
Write-Debug "Select group policies for permissions changing."
$ProcessGpo = foreach ($Gpo in $AllGpo)
{
Write-Debug "Process the group policy `"$($Gpo.DisplayName)`"."
Write-Debug "Get permission for the `"Authenticated Users`" group."
$AuthUsersPermission = $Gpo | Get-GPPermissions -TargetName 'Authenticated Users' -TargetType Group -ErrorAction SilentlyContinue
Write-Debug "Get permission for the `"Domain Computers`" group."
$DomainComputersPermission = $Gpo | Get-GPPermissions -TargetName 'Domain Computers' -TargetType Group -ErrorAction SilentlyContinue
if (-not ($AuthUsersPermission -or $DomainComputersPermission))
{
Write-Debug "No permissions found."
$Gpo
}
else
{
Write-Debug "Permissions found. Skip group policy."
}
}
if ($ProcessGpo)
{
Write-Debug "List of the selected group polices."
$ProcessGpo | Select-Object -ExpandProperty DisplayName | Write-Debug
Write-Debug "Change permissions for the selected group polices."
foreach ($Gpo in $ProcessGpo)
{
try
{
Write-Debug "Process the group policy `"$($Gpo.DisplayName)`"."
$Gpo
}
catch
{
$_ | Write-Error
}
}
}
else
{
Write-Debug "No group policy found."
} |
Above Version which will only LIST / Report / Nur lesen
Below Version which will Change / Correct / Aenderung
Change version from Posting in Social adapted to German Active Directory with Domänencomputer |
$DebugPreference = 'Continue'
Write-Debug "Get list of the all group policy objects in the domain."
$AllGpo = Get-GPO -All | Sort-Object -Property 'DisplayName'
Write-Debug "Select group policies for permissions changing."
$ProcessGpo = foreach ($Gpo in $AllGpo)
{
Write-Debug "Process the group policy `"$($Gpo.DisplayName)`"."
Write-Debug "Get permission for the `"Authenticated Users`" group."
$AuthUsersPermission = $Gpo | Get-GPPermissions -TargetName 'Authenticated Users' -TargetType Group -ErrorAction SilentlyContinue
Write-Debug "Get permission for the `"Domain Computers`" group."
$DomainComputersPermission = $Gpo | Get-GPPermissions -TargetName 'Domain Computers' -TargetType Group -ErrorAction SilentlyContinue
if (-not ($AuthUsersPermission -or $DomainComputersPermission))
{
Write-Debug "No permissions found."
$Gpo
}
else
{
Write-Debug "Permissions found. Skip group policy."
}
}
if ($ProcessGpo)
{
Write-Debug "List of the selected group polices."
$ProcessGpo | Select-Object -ExpandProperty DisplayName | Write-Debug
Write-Debug "Change permissions for the selected group polices."
foreach ($Gpo in $ProcessGpo)
{
try
{
Write-Debug "Process the group policy `"$($Gpo.DisplayName)`"."
Write-Debug "Add the `"Read`" permission for the `"Domänencomputer`" group."
Set-GPPermissions -Guid $Gpo.Id -PermissionLevel GpoRead -TargetName 'Domänencomputer' -TargetType Group -ErrorAction Stop | Out-Null
Write-Debug "Permissions changed successful."
$Gpo
}
catch
{
$_ | Write-Error
}
}
}
else
{
Write-Debug "No group policy found."
} |