New Group Policy Patch MS1. Indeed, I had noted late on Tuesday via Twitter. It turned out that the fix was a bit problematic for folks who had set per- user security group filtering in their GPOs, as shown in the figure below. GPOs set up this way were no longer being processed after the patch was applied to client systems. A GPO with no Authenticated Users in Security Filtering. Deploy.NET Framework 3.5 by using Group Policy Feature on Demand setting. Deploy.NET Framework 3.5 by using Group Policy Feature on Demand. For environments that use Active Directory and Group Policy. In this article we will see the steps for Deploying SCCM 2012 R2 Clients Using Group Policy. If you are planning to deploy SCCM 2012 R2 clients using group policy then you must make sure that in the client push installation. Specifically, if you’d set security group filtering for GPOs that contain per- user settings, and you’d removed Authenticated Users completely from the GPO’s delegation, then GPO processing for per- user settings would fail after applying MS1. Specifically, there’s a section called Known Issues where it says the following: “MS1. This by- design behavior change protects customers. Before MS1. 6- 0. After MS1. 6- 0. 72 is installed, user group policies are retrieved by using the machines security context”Um. What it’s saying is that per- user GP processing has fundamentally changed. It goes on to further say: “This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.”Indeed, many people found that by adding back the Authenticated Users Access Control Entry (ACE) to the GPO’s delegation with Read access (NOTE: I AM SAYING READACCESS–THIS IS DIFFERENT . The above referenced article says that you can add either Authenticated Users or Domain Computers. What I’ve done is created a quick Power. Shell script for those who have a lot of GPOs in your environment and don’t want to manually make this change. What the script does is get a list of all of your GPOs in the current domain. It then iterates through them, checks to see if the Authenticated Users or Domain Computers groups. If not found, then the script adds the Read (only) permission to the GPO for Authenticated Users. You might decide you’d rather use Domain Computers, because some people have purposefully prevented Authenticated Users from reading their GPOs to prevent unwanted security posture discovery. You can easily modify the script to add Domain Computers instead of Authenticated Users by modifying line 9 of the script. Note that this script needs the Group Policy Power. Shell module that is part of GPMC to be installed to function: GPO Permission script for MS1. Download the Script File. PLEASE NOTE: THIS SCRIPT CHANGES PERMISSIONS ON YOUR GPOs. Test first in a non- production environment before running it against your live GPOs. It’s provided for you as- is, with no warranty! June 1. 6 Edit: I made a change to the script, to have it check for GPOs that contain user settings, since we’re only interested in doing this fix for GPOs with per- user settings. Also note that Microsoft has just released an assessment- only script here. June 1. 7 Edit: I added a blog post to show how you can modify the default permissions that get stamped on a newly created GPO, to include Domain Computers with Read access. June 2. 1 Edit: Another quick update to share a great blog post that fellow techie Jeremy Saunders did to enhance the script I’ve provided. Check it out! Next Steps. I’ve been asked if this is a bug that Microsoft will fix. If you read the article I mention above, it sure doesn’t seem like they see it as a bug, but rather a change in behavior in the interests of security. I agree that making GP secure is critical to ensuring it can do it’s job of, well, securing your Windows systems. I wish they had given a little bit more notice on this so it didn’t break people’s GP environments, but, hey, at least NOW we know : -). If you have any feedback or questions on the script, feel free to email us at info@sdmsoftware.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
January 2017
Categories |