During a project a customer of mine found that a new policy didn’t work as intented due to GPO inaccessible.
The GPOs were verified multiple times and there was nothing wrong with either the settings, the scope or the security filtering.
After some troubleshooting I found that gpresult /h indicated that the reason was beacuase GPO Inaccessible, Empty or Disabled.
Because of vulnerabilities in GPOs Microsoft implemented a design change in Security Update for Group Policy (3163622).
The update changes how the policies are retrieved by using the computers security context instead of the users´.
The reason for this is to prevent a man-in-the-middle attack that could elevate a users permissions.
There are two methods of solving this using Group Policy Management Console.
- Add the Authenticated Users group with Read Permissions on the Group Policy Object in the Delegation tab.
- If you are using security filtering, add the Domain Computers group with read permission on the Group Policy Object.
In addition you can use this link if you have multiple GPOs that might need fixing.