Fix GPO permissions before applying MS16-072

While monitoring the PM.org mailing list yesterday, a problem with Group Policies was reported.

The problem was quickly identified on this Microsoft forum thread and the fix was documented a few hours later on this support page.

To quickly display GPO names that don’t have the Authenticated Users group, you can do:

Get-GPO -All | ForEach-Object { 
    # Test if Authenticated Users group have at least read permission on the GPO
    if ('S-1-5-11' -notin ($_ | Get-GPPermission -All).Trustee.Sid.Value) {
        $_
    }
} | Select DisplayName

To add back the Authenticated Users group with Read Permissions on the Group Policy Object (GPO), you can do:

Get-GPO -All | ForEach-Object { 
    if ('S-1-5-11' -notin ($_ | Get-GPPermission -All).Trustee.Sid.Value) {
        $_ | Set-GPPermission -PermissionLevel GpoRead -TargetName 'Authenticated Users' -TargetType Group -Verbose
    }
}

Now, every GPO has a permission set for the ‘Authenticated Users’ group and to check what permission is set for this group, you can do:

Get-GPO -All | ForEach-Object { 
    [PsCustomObject]@{
        DisplayName = $_.DisplayName
        Permission = ($_ | Get-GPPermission -TargetName 'Authenticated Users' -TargetType Group).Permission
    }
} | Out-GridView -Title 'Authenticated Users permissions'
Advertisements

8 thoughts on “Fix GPO permissions before applying MS16-072

    • Hi,
      Thanks for the feedback. I’m sure that the problem is actually a typo.

      On PowerShell 4.0 and 5.0 Get-GPPermissions is an alias of the core cmdlet Get-GPPermission both located in the grouppolicy module.

      What version of PowerShell do you run? Can you also pls tell me what version of Windows you run?
      Thx
      Emin

  1. Thanks for the script. When I 1st ran the script i kept getting and error stating that Get-GPPermission is not recognized. I then found out that it is actually Get-GPPermissions. After that everything worked nicely.

    Thanks again.

  2. Pingback: Изменения в обработке GPO, или Patch Tuesday | IT in realworld

  3. For those of you with multiple domains:

    $domains = @("domain1", "domain2", "domain3")

    foreach ($domain in $domains)
    {
    $domain
    Get-GPO $domain -All | ForEach-Object {
    if ('S-1-5-11' -notin ($_ | Get-GPPermission -All -Domain $domain).Trustee.Sid.Value)
    {
    $_ | Set-GPPermission -Domain $domain -PermissionLevel GpoRead -TargetName 'Authenticated Users' -TargetType Group -Verbose
    }
    }
    write ''
    }

  4. Pingback: Microsoft’s June 16 Security Patch Breaks Group Policy Settings | MSC IT Solutions Ltd

  5. Pingback: Microsoft’s June 16 Security Patch Breaks Group Policy Settings - MSC IT Solutions Ltd

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s