Filtered GPO’s are broken

I was updating a logon script today and realized that for some reason it wasn’t applying to the machine.   I ran rsop and gpresult but neither one showed the policy or the logon script.  The gpo was filtered to a specific group of users and the user was clearly a member of the group so I was befuddled what was going on.  I finally found a Security update KB 3159398 for Group Policy that came out in June that while fixing a dangerous man-in-the-middle attack breaks filtering if Domain Computer group does not have read permissions to the OU.  Follow the below steps to fix and your gpo will be working like normal.

  1. Open up the gpo in group policy management and click the delegation tab.
  2. Click Add and type in domain computers.capture
  3. Set permissions to read as is the default.capture2
  4. Enjoy your fixed GPO’s!

Link to Microsoft Security update and known issues below.

https://support.microsoft.com/en-us/kb/3159398

 

 

 

Advertisements