This doozy was issued in June following MS16-072. If you’ve had any user based GPOs just simply stop working in the past 2 months, it is likely that this is the culprit. Before this update, when a machine was processing its group policy, it used the user context to read the GPO on the DC. This update intentionally made it so that this was now requested in the computer context.

What this means is if you removed “Authenticated Users” from any of your policies in an effort to filter who the GPO applied to, the policies would never be read even if the users were in the groups you had in there. As the computer is requesting the policy, the computer has to have permission to read the policy. Authenticated Users comprises of both users and computers.

This is what this script does – it scans through all your GPOs on a domain controllers and searches for group policies that are missing the Authenticated Users read permission. It then generates a ticket with the list of affected GPOs against the client/computer. Note, this does not mean that the policy will apply to all authenticated users, it simply means that authenticated users read the policy. It’s also worth pointing out if you are relying on this way to scope your GPOs, you really need to look into item level targeting where applicable.

There is a parameter in this script called autofix. If you set this to yes it will autofix the GPOs it finds to be in an incorrect state by adding an entry in the permissions for the GPO to give Authenticated Users the ability to read it. It will add all the changes it has made into a ticket and then auto close the ticket.

To run this, the server needs to be a domain controller, it needs to be a server that supports the powershell cmdlet get-gpo. If you don’t meet these criteria, the script will exit with an error in the log of the relevant machine.

If you do not set the autofix parameter to yes, the default behaviour is to audit and log a ticket if required. It will not modify your GPOs.

As always, use at your own risk and test thoroughly in your environments before using! I’ve ran this across our entire estate though and it worked fine.

Here is the script – link