While monitoring the PM.org mailing list yesterday, a problem with Group Policies was reported.
The problem was quickly identified on this Microsoft forum thread and the fix was documented a few hours later on this support page.
To quickly display GPO names that don’t have the Authenticated Users group, you can do:
Get-GPO -All | ForEach-Object { # Test if Authenticated Users group have at least read permission on the GPO if ('S-1-5-11' -notin ($_ | Get-GPPermission -All).Trustee.Sid.Value) { $_ } } | Select DisplayName
To add back the Authenticated Users group with Read Permissions on the Group Policy Object (GPO), you can do:
Get-GPO -All | ForEach-Object { if ('S-1-5-11' -notin ($_ | Get-GPPermission -All).Trustee.Sid.Value) { $_ | Set-GPPermission -PermissionLevel GpoRead -TargetName 'Authenticated Users' -TargetType Group -Verbose } }
Now, every GPO has a permission set for the ‘Authenticated Users’ group and to check what permission is set for this group, you can do:
Get-GPO -All | ForEach-Object { [PsCustomObject]@{ DisplayName = $_.DisplayName Permission = ($_ | Get-GPPermission -TargetName 'Authenticated Users' -TargetType Group).Permission } } | Out-GridView -Title 'Authenticated Users permissions'