User's GPO does not working anymore? (MS16-072)

Hi guys, how are you doing?

I'm coming back to blog and I will start writing again in English since I am living in Dublin now with my wife and it's going to be a way to practice my English as well.

Today I'm gonna talk about a security update that Microsoft launched last year, in June. This hotfix changed the way how a GPO is processed.

This security update aims to avoid an attacker to exploit a vulnerability between the communication of a domain controller and a computer.

What Changed?

Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer's security context.

What does it mean? 

If you have removed the default "Authenticated Users" group from the security filtering of your GPO and set your custom security group containing the respectives target users, you have removed as well the permission of "Read" from computers since they are members of this group too. The policy will not work anymore.

How to Fix it?

Simply adding either the “Authenticated Users” or "Domain Computers" group with the “Read” permissions on the Group Policy Objects "Delegation" tab. The purpose here is just to add “Read” permissions and not “Apply Group Policy” for the chosen group, ok? You can keep using your custom group set in security filtering.

If you have too much GPO's and apply this resolution one by one is not an option, consider using this script:

You can find more detailed information here.

Thank you.