Home / server / Questions / 784615
Accepted
Daniel
Asked: 2016-06-18 06:05:14 +0800 CST

GPOs fail to apply; reason: Inaccessible, Empty, or Disabled; Server 2012 R2 and Windows 10

  • 772

I have a Windows Server 2012 R2 Domain.

Yesterday, a computer’s (running Windows 10 Pro) network drive stopped working.

After further investigation (gpresult /h) it appears ALL group policy objects are failing with the reason Inaccessible, Empty, or Disabled.

I have confirmed that all the GPOs still exist and are enabled on both (redundant and local) domain controllers. Furthermore, there are 20 other machines on the same domain and LAN with absolutely no problems.

However, there is one other computer that I tested which presented with the same problem! Does that mean the problem is with the servers?

gpresult /r reports that one client is getting GPOs from local DC1, and the other from DC2. So it is not a problem related to a specific DC.

gpupdate /force fixed nothing (though it claimed that policies were applied).

I tried deleting the registry entries for local policies (following this guide https://superuser.com/questions/379908/how-to-clear-or-remove-domain-applied-group-policy-settings-after-leaving-the-do) and rebooting - same problem.

I found this support page from Microsoft (https://support.microsoft.com/en-us/kb/2976965), but it claims it only applies to Windows 7 or earlier clients.

All my machines (both server and client) are running 64-bit versions and are fully updated. I have rebooted all of them just to be sure.

group-policy active-directory windows-10 windows-server-2012-r2

1 Answers

  1. Best Answer

    Check the patch joeqwerty link too.

    There is the important detail:

    Known issues

    MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the machines security context. This issue is applicable for the following KB articles:

    • 3159398 MS16-072: Description of the security update for Group Policy: June 14, 2016
    • 3163017 Cumulative update for Windows 10: June 14, 2016
    • 3163018 Cumulative update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview 4: June 14, 2016
    • 3163016 Cumulative Update for Windows Server 2016 Technical Preview 5: June 14 2016

    Symptoms

    All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.

    Cause

    This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.

    Resolution

    To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:

    - Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
    - If you are using security filtering, add the Domain Computers group with read permission.

    See this link Deploy MS16-072 which explains everything and offers script to repair the affected GPOs. The script adds Authenticated users read permissions to all GPOs which have no permission for Authenticated users.

    # Copyright (C) Microsoft Corporation. All rights reserved.

$osver = [System.Environment]::OSVersion.Version
$win7 = New-Object System.Version 6, 1, 7601, 0

if($osver -lt $win7)
{
    Write-Error "OS Version is not compatible for this script. Please run on Windows 7 or above"
    return
}

Try
{
    Import-Module GroupPolicy
}
Catch
{
    Write-Error "GP Management tools may not be installed on this machine. Script cannot run"
    return
}

$arrgpo = New-Object System.Collections.ArrayList

foreach ($loopGPO in Get-GPO -All)
{
    if ($loopGPO.User.Enabled)
    {
        $AuthPermissionsExists = Get-GPPermissions -Guid $loopGPO.Id -All | Select-Object -ExpandProperty Trustee | ? {$_.Name -eq "Authenticated Users"}
        If (!$AuthPermissionsExists)
        {
            $arrgpo.Add($loopGPO) | Out-Null
        }
    }
}

if($arrgpo.Count -eq 0)
{
    echo "All Group Policy Objects grant access to 'Authenticated Users'"
    return
}
else
{
    Write-Warning  "The following Group Policy Objects do not grant any permissions to the 'Authenticated Users' group:"
    foreach ($loopGPO in $arrgpo)
    {
        write-host "'$($loopgpo.DisplayName)'"
    }
}

$title = "Adjust GPO Permissions"
$message = "The Group Policy Objects (GPOs) listed above do not have the Authenticated Users group added with any permissions. Group policies may fail to apply if the computer attempting to list the GPOs required to download does not have Read Permissions. Would you like to adjust the GPO permissions by adding Authenticated Users group Read permissions?"

$yes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes", `
    "Adds Authenticated Users group to all user GPOs which don't have 'Read' permissions"
$no = New-Object System.Management.Automation.Host.ChoiceDescription "&No", `
    "No Action will be taken. Some Group Policies may fail to apply"
$options = [System.Management.Automation.Host.ChoiceDescription[]]($yes, $no)
$result = $host.ui.PromptForChoice($title, $message, $options, 0)  
$appliedgroup = $null
switch ($result)
{
    0 {$appliedgroup = "Authenticated Users"}
    1 {$appliedgroup = $null}
}
If($appliedgroup)
{
    foreach($loopgpo in $arrgpo)
    {
        write-host "Adding 'Read' permissions for '$appliedgroup' to the GPO '$($loopgpo.DisplayName)'."
        Set-GPPermissions -Guid $loopgpo.Id -TargetName $appliedgroup -TargetType group -PermissionLevel GpoRead | Out-Null
    }
}

    If you preffer to set the read permission for Domain Computers (as I do) rather than Authenticated Users just change this 0 {$appliedgroup = "Authenticated Users"} to that 0 {$appliedgroup = "Domain Computers"}

    • 19