I was updating a logon script today and realized that for some reason it wasn’t applying to the machine. I ran rsop and gpresult but neither one showed the policy or the logon script. The gpo was filtered to a specific group of users and the user was clearly a member of the group so I was befuddled what was going on. I finally found a Security update KB 3159398 for Group Policy that came out in June that while fixing a dangerous man-in-the-middle attack breaks filtering if Domain Computer group does not have read permissions to the OU. Follow the below steps to fix and your gpo will be working like normal.
- Open up the gpo in group policy management and click the delegation tab.
- Click Add and type in domain computers.
- Set permissions to read as is the default.
- Enjoy your fixed GPO’s!
Link to Microsoft Security update and known issues below.