If you are facing issues with user GPO not being correctly applied in the network, this post shows how to fix it.

Microsoft released in June 2016 a security update that has changed the way how a GPO is processed on client computers.

This security update aims to avoid an attacker to exploit a vulnerability between the communication of a domain controller and a computer.

What has changed?

Before MS16-072 was installed on your server, the user group policies were retrieved by using the user’s security context of the GPO. After MS16-072 is installed, user group policies are retrieved by using the computer's security context of the GPO.

What does it mean?

If you have removed the default "Authenticated Users" group from the security filtering of your GPO and set your custom security group containing the respective target users, you have removed as well the permission of "Read" from computers since they are members of this group too and consequently the policy will not work anymore.

How to fix it?

Simply adding either the “Authenticated Users” or "Domain Computers" group with the “Read” permissions on the Group Policy Objects "Delegation" tab. The purpose here is just to add “Read” permissions and not “Apply Group Policy” to the chosen group. You can keep using your custom security group in the security filtering tab as usual.

If you have too many GPO's and applying the above workaround one by one is not an option, consider using the below script:

https://gallery.technet.microsoft.com/Powershell-script-to-cc281476

You can find further information here.

For any doubts or suggestions, please leave a comment below.