Shulou(Shulou.com)06/03 Report--

In the past, for ease of management or other purposes, we sent the user policy in the group policy through GPMC (for example, user folder redirection) by linking the policy to the user's peer\ superior OU, and then selecting the user (or the user group to which the user belongs) in the Security filter. However, in October last year, when encapsulating a virtual machine template, we updated all the security patches of win7 pro sp1 x64. Because it was updated on the basis of the original template, there was no comprehensive testing (some necessary tests were also carried out with the login of the local administrator of the system). We directly used this template to create a new virtual machine for colleagues to use. After colleagues logged in with domain users, they found that all user-based policies were invalid! !

At this time, under the influence of empiricism, conventional sysvol inspection and gpresult analysis wasted a lot of time.

After thinking about it, the difference between templates is the version of some applications and the number of Microsoft patches. So copy a template, start with the Microsoft patch, delete one by one, delete a test. After the KB3159398 is deleted, the user policy is restored. Baidu: Microsoft's KB3159398 description. Microsoft spoke in black and white about the impact of the patch and gave a solution:

Symptom

All user group policies, including those that have security filtering on user accounts or security groups, may not apply to computers that join the domain.

Reason

This problem may occur if the group policy object is missing permissions to read Authenticated Users groups, or if you are using security filtering and permissions for computer groups in domains that lack reading.

Resolution

To resolve this issue, use the Group Policy Management console (GPMC.MSC) and follow one of the following steps:

Add an Authenticated Users group with read permissions on the Group Policy object (GPO).

If you are using security filtering, add a domain computer group with read permissions.

/ * Google translation of the original text, can you understand the general meaning * /

The two unordered list contents in "resolution" are the solution.

The first approach is obviously impractical.

The second method, which means to add computer objects that want to take effect the user group policy to the security filter, also means that the method of filtering or delegating only the user / user group to take effect the policy will no longer exist.

To put it popularly, in order to implement the user group policy issued by KB3159398, the security filtering or delegation of the policy must select both the computer and the user!

Of course, win7, to be exact, the operating system of the Windows NT kernel version 6.1, can choose not to install this patch or uninstall it, but win10, which has integrated this patch, cannot uninstall it. What's more, among our clients, there are not a few obsessive-compulsive users who use third-party software to upgrade patches. I changed the Windows Update server address in GPMC, and the firewall blocked the mainstream security software patch download traffic (some 60 some butler and so on). But there will still be fish out of the net, and there is no way to revolve around this thing every day. )

So, get into the habit and change the management method.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.