Check and update your GPOs for MS16-072
Check and update your GPOs for MS16-072
Description

Due to the update MS16-072, you will have to check and update your GPO permissions.

Why

The following article describes very well why this update have changed our policy processing :

After MS16-072 is installed, user group policies are retrieved by using the computer’s security context. This by-design behavior change protects domain joined computers from a security vulnerability.

When a user group policy is retrieved using the computer’s security context, the computer account will now need “read” access to retrieve the group policy objects (GPOs) needed to apply to the user.

Traditionally, all group policies were read if the “user” had read access either directly or being part of a domain group e.g. Authenticated Users

Solution

Consequently, I have written a script to help you on setting the correct permission on your GPOs. There are two parts :

  • Check GPO permissions
  • Update GPO permissions

I have removed the GPO “Default Domain Controllers Policy” and “Default Domain Policy” from this script. You can replace the line
$gpolist = Get-GPO -All | select displayname,GpoStatus | ? {($_.displayname -ne “Default Domain Controllers Policy”) -and ($_.displayname -ne “Default Domain Policy”)}| Sort-Object @{Expression=’displayname’; Ascending=$True}
by this line
$gpolist = Get-GPO -All | select displayname,GpoStatus | Sort-Object @{Expression=’displayname’; Ascending=$True}
if you wnat to include them.

How it works

The script process is quite simple. In the case you want to update all of your GPO, the script will do the following steps:
first of all, all the GPO will be listed
after that, a report will be generated. This report will show you which GPO requiresan update or not
finally, the cmdlet Set-GPPermissions will set the correct permissions

Script

Download

Do not hesitate to leave me a message if you have any problem with it.

Check and update your GPOs for MS16-072

Leave a Reply

Your email address will not be published.