While monitoring the PM.org mailing list yesterday, a problem with Group Policies was reported.
The problem was quickly identified on this Microsoft forum thread and the fix was documented a few hours later on this support page.
To quickly display GPO names that don’t have the Authenticated Users group, you can do:
Get-GPO -All | ForEach-Object { # Test if Authenticated Users group have at least read permission on the GPO if ('S-1-5-11' -notin ($_ | Get-GPPermission -All).Trustee.Sid.Value) { $_ } } | Select DisplayName
To add back the Authenticated Users group with Read Permissions on the Group Policy Object (GPO), you can do:
Get-GPO -All | ForEach-Object { if ('S-1-5-11' -notin ($_ | Get-GPPermission -All).Trustee.Sid.Value) { $_ | Set-GPPermission -PermissionLevel GpoRead -TargetName 'Authenticated Users' -TargetType Group -Verbose } }
Now, every GPO has a permission set for the ‘Authenticated Users’ group and to check what permission is set for this group, you can do:
Get-GPO -All | ForEach-Object { [PsCustomObject]@{ DisplayName = $_.DisplayName Permission = ($_ | Get-GPPermission -TargetName 'Authenticated Users' -TargetType Group).Permission } } | Out-GridView -Title 'Authenticated Users permissions'
There’s a typo in the script. Get-GPPermission should be Get-GPPermissions
Hi,
Thanks for the feedback. I’m sure that the problem is actually a typo.
On PowerShell 4.0 and 5.0 Get-GPPermissions is an alias of the core cmdlet Get-GPPermission both located in the grouppolicy module.
What version of PowerShell do you run? Can you also pls tell me what version of Windows you run?
Thx
Emin
Thanks for the script. When I 1st ran the script i kept getting and error stating that Get-GPPermission is not recognized. I then found out that it is actually Get-GPPermissions. After that everything worked nicely.
Thanks again.
Hi,
Thanks for the feedback.
What version of PowerShell do you run? Can you also pls tell me what version of Windows you run?
Pingback: Изменения в обработке GPO, или Patch Tuesday | IT in realworld
For those of you with multiple domains:
$domains = @("domain1", "domain2", "domain3")
foreach ($domain in $domains)
{
$domain
Get-GPO $domain -All | ForEach-Object {
if ('S-1-5-11' -notin ($_ | Get-GPPermission -All -Domain $domain).Trustee.Sid.Value)
{
$_ | Set-GPPermission -Domain $domain -PermissionLevel GpoRead -TargetName 'Authenticated Users' -TargetType Group -Verbose
}
}
write ''
}
Pingback: Microsoft’s June 16 Security Patch Breaks Group Policy Settings | MSC IT Solutions Ltd
Pingback: Microsoft’s June 16 Security Patch Breaks Group Policy Settings - MSC IT Solutions Ltd
Pingback: Microsoft’s June 16 Security Patch Breaks Group Policy Settings - Education