Active Directory, Group Policy, not working after MS16-072 applied

It may appear that group policies do not work after the patch MS16-072 has been applied. This is because the security context has changed in which GPOs are retrieved, possibly causing the GPOs to no longer be accessible by the system. This is by design.

MS16-072 was applied in the following patches:
For Windows 7, 8, 8.1, Server 2008/R2, Server 2012/R2: https://support.microsoft.com/en-us/kb/3159398
For Windows 10 (part of Cumulative Update): https://support.microsoft.com/en-us/kb/3163017
For Windows 10 rev 1511 (part of Cumulative Update): https://support.microsoft.com/en-us/kb/3163018

This patch changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the machines security context.

Note that group policy application is still done using the user or group context, as previously.

It is recommended that you do not uninstall or roll-back this patch. The change in behavior is by design and adjustments can be made in the access controls to restore functionality, as follows:

In Group Policy Management Console, for the GPO in question, on the Delegation Tab, add the access control entry of: "Domain Computers" with "READ" permission (not "READ and Apply Group Policy").




Keywords:Active Directory Group Policy GPO Windows MS16-072 3162622 3159398 2163017 3163018   Doc ID:64157
Owner:Erik C.Group:University of Illinois Technology Services
Created:2016-06-16 11:29 CDTUpdated:2016-12-19 16:29 CDT
Sites:University of Illinois Technology Services
Feedback:  1   0