Vérifiez le patch joeqwerty link too.
Il y a le important detail:
Known issues
MS16-072 changes le security context avec qui user group policies are retrieved. This by-design behavior change protects customers’ computers depuis a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using le user’s security context. After MS16-072 is installed, user group policies are retrieved by using le machines security context. This issue is applicable for le suivant KB articles:
3159398 MS16-072: Description of le security update for Group
Policy: June 14, 2016
3163017 Cumulative update for Windows 10: June 14, 2016
3163018 Cumulative update for Windows 10 Version 1511 et Windows
Server 2016 Technical Preview 4: June 14, 2016
3163016 Cumulative Update for Windows Server 2016 Technical Preview
5: June 14 2016
Symptoms
All user Group Policy, including those that have been security filtered on user accounts ou security groups, ou both, may fail to apply on domain joined computers.
Cause
This issue may occur si le Group Policy Object is missing le Read permissions for le Authenticated Users group ou si you are using security filtering et are missing Read permissions for le domain computers group.
Resolution
To resolve this issue, use le Group Policy Management Console (GPMC.MSC) et follow one of le suivant steps:
- Add le Authenticated Users group avec Read Permissions on le Group
Policy Object (GPO).
- If you are using security filtering, add le Domain Computers group
avec read permission.
See this link Deploy MS16-072 qui explains everything et offers script to repair le affected GPOs. The script adds Authenticated users read permissions to tous GPOs qui have no permission for Authenticated users.
# Copyright (C) Microsoft Corporation. All rights reserved.
$osver = [System.Environment]::OSVersion.Version
$win7 = New-Object System.Version 6, 1, 7601, 0
if($osver -lt $win7)
{
Write-Error "OS Version is not compatible for this script. Please run on Windows 7 or above"
return
}
Try
{
Import-Module GroupPolicy
}
Catch
{
Write-Error "GP Management tools may not be installed on this machine. Script cannot run"
return
}
$arrgpo = New-Object System.Collections.ArrayList
foreach ($loopGPO in Get-GPO -All)
{
if ($loopGPO.User.Enabled)
{
$AuthPermissionsExists = Get-GPPermissions -Guid $loopGPO.Id -All | Select-Object -ExpandProperty Trustee | ? {$_.Name -eq "Authenticated Users"}
If (!$AuthPermissionsExists)
{
$arrgpo.Add($loopGPO) | Out-Null
}
}
}
if($arrgpo.Count -eq 0)
{
echo "All Group Policy Objects grant access to 'Authenticated Users'"
return
}
else
{
Write-Warning "The following Group Policy Objects do not grant any permissions to the 'Authenticated Users' group:"
foreach ($loopGPO in $arrgpo)
{
write-host "'$($loopgpo.DisplayName)'"
}
}
$title = "Adjust GPO Permissions"
$message = "The Group Policy Objects (GPOs) listed above do not have the Authenticated Users group added with any permissions. Group policies may fail to apply if the computer attempting to list the GPOs required to download does not have Read Permissions. Would you like to adjust the GPO permissions by adding Authenticated Users group Read permissions?"
$yes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes", `
"Adds Authenticated Users group to all user GPOs which don't have 'Read' permissions"
$no = New-Object System.Management.Automation.Host.ChoiceDescription "&No", `
"No Action will be taken. Some Group Policies may fail to apply"
$options = [System.Management.Automation.Host.ChoiceDescription[]]($yes, $no)
$result = $host.ui.PromptForChoice($title, $message, $options, 0)
$appliedgroup = $null
switch ($result)
{
0 {$appliedgroup = "Authenticated Users"}
1 {$appliedgroup = $null}
}
If($appliedgroup)
{
foreach($loopgpo in $arrgpo)
{
write-host "Adding 'Read' permissions for '$appliedgroup' to the GPO '$($loopgpo.DisplayName)'."
Set-GPPermissions -Guid $loopgpo.Id -TargetName $appliedgroup -TargetType group -PermissionLevel GpoRead | Out-Null
}
}
If you preffer to définissez le read permission for Domain Computers (as I do) plutôt than Authenticated Users juste change this 0 {$appliedgroup = "Authenticated Users"} to that 0 {$appliedgroup = "Domain Computers"}
