Home / server / Questions / 803858
Accepted
ETL
Asked: 2016-09-19 10:38:01 +0800 CST

Some Group Policies Not Applying After Windows Updates

  • 772

Servers: Windows 2008R2

Service: Microsoft Remote Desktop Services / Session Host

Situation:

Let's say 10 Group Policy objects apply to a given user. When the user RDP to ServerA, all 10 policy objects are applied correctly. But when logging on to ServerB, only 8 policy objects are applied.

RSoP executed on ServerB shows that all 10 policy objects should apply.

Looking through Events Log, I see nothing out of ordinary indicating why only 8 policy objects were applied.

group-policy

1 Answers

  1. Best Answer

    Beware of Windows Updates!

    Found the culprit - KB3159398: MS16-072: Description of the security update for Group Policy: June 14, 2016.

    Turns out that this got installed on the server which were not applying some group policies and wasn't installed on those that were behaving correctly.

    To quote the KB:

    This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine.

    Known issues

    MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer's security context.

    All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.

    Cause:

    This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.

    Resolution:

    To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:

    • Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
    • If you are using security filtering, add the Domain Computers group with read permission.

    The policy objects which weren't applied were those which had security filtering of a certain user group or list of users, instead of Authenticated Users. As covered above, those policies couldn't be read by the updated servers because the reading of policy objects was done using the computer account instead of the user account. By adding the Domain Computers group to the security filter, the computer account can now read the policy. Everything seems fine after that. The policy objects are still filtered by users, but the objects can be read by the computer.

    • 0