GPO Inaccessible, Empty or Disabled due to delegations

posted in: Powershell | 0

Introduction

During a project a customer of mine found that a new policy didn’t work as intented due to GPO inaccessible.

The GPOs were verified multiple times and there was nothing wrong with either the settings, the scope or the security filtering.

After some troubleshooting I found that gpresult /h indicated that the reason was beacuase GPO Inaccessible, Empty or Disabled.

Issue

Because of vulnerabilities in GPOs Microsoft implemented a design change in Security Update for Group Policy (3163622).

The update changes how the policies are retrieved by using the computers security context instead of the usersĀ“.

The reason for this is to prevent a man-in-the-middle attack that could elevate a users permissions.

Solution

There are two methods of solving this using Group Policy Management Console.

  • Add the Authenticated Users group with Read Permissions on the Group Policy Object in the Delegation tab.
  • If you are using security filtering, add the Domain Computers group with read permission on the Group Policy Object.

Resources

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-072
https://support.microsoft.com/en-us/help/3163622/ms16-072-security-update-for-group-policy-june-14-2016

In addition you can use this link if you have multiple GPOs that might need fixing.

https://blogs.technet.microsoft.com/poshchap/2016/06/16/ms16-072-known-issue-use-powershell-to-check-gpos/

Leave a Reply

Your email address will not be published. Required fields are marked *