How to: Update GPO permissions to resolve problems caused by Microsoft security bulletin MS16-072


Instructions

To improve the security of servers and workstations joined to a domain, Microsoft released security bulletin MS16-072, and an associated security patch on June 14, 2016, that fundamentally changes the security requirement for applying group policy objects (GPOs) in departmental organizational units (OUs). Once the security update is applied, domain computers will not successfully run existing or new GPOs unless specific permission requirements have been established.

To avoid interruption in your GPO propagation, please use the Group Policy Management Console (GPMC.MSC) and update your department GPO permissions using the steps below.

CAUTION: Please carefully review the information below before proceeding, and be sure to use test executions before applying to production.

1) Open Group Policy Management (located under Control Panel > System and Security > Administrative Tools).

example screenshot

TIP: If you do not see Group Policy Management in that location, make sure you have installed Remote Server Administration Tools and enabled the Group Policy Management Console.

2) Browse to the following path: Forest: ttu.net > Domains > ttu.edu > Group Policy Objects. Then, click once on the GPO you wish to edit.

example screenshot

example screenshot

3) Go to Delegation tab and click Advanced.

example screenshot

4) Click Add.

example screenshot

5) Decide whether you would like to add "Authenticated Users" to the permissions list or add a group containing computers. If you want to add a group of computers, skip to Step 7.

To add "Authenciated Users", type "authenticated users" into the field labeled "Enter the object names to select". Then, click OK.

example screenshot

6) Click OK and skip to the "Outcome" section below.

example screenshot

7) If you do not wish for your GPO to be applied to other computers, type the name of the appropriate domain computers group with read permission. Then, click OK.

example screenshot

8) Click OK.

example screenshot


OUTCOME

The delegation properties of the GPO have been altered and will apply as specified.

example screenshot

example screenshot