User Settings in GPO Broken

Sean Huggans's picture

Writing this up in case anyone else is having issues: I had a case a few days ago where user based GPOs were not applying to users - this was seemingly random, as the settings would apply as intended on some computers, but other computers (even with the same user accounts) would not ever apply the settings. In a test lab, the same GPOs with the same permissions applied correctly.

The issue ended up being KB3159398, which changes permission requirements on group policy objects. After patch KB3159398 is installed on a client, in order for a user account to apply settings from any GPO, the computer account the user is logged in to must have at least read permission set on the GPO. The clients that were working did not yet have the patch - once installed they were broken.

This means in order to apply a GPO exclusively to a group of users, you can no longer remove Authenticated users and add the user group with read and apply permissions. Instead, you must leave Authenticated users in place, remove the Apply permission (important to not change this to deny), leave the read permission in place, and then add your intended target user group with read and apply permissions.

Removing KB3159398 is probably a bad idea, as the changes within the KB will probably just be included in a future Windows Update Roll-up anyway.