GPOs fail to apply; reason: Inaccessible, Empty, or Disabled; Server 2012 R2 and Windows 10

active-directory group-policy windows-server-2012-r2 windows-10

41,965

Check the patch joeqwerty link too.

There is the important detail:

Known issues

MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the machines security context. This issue is applicable for the following KB articles:

3159398 MS16-072: Description of the security update for Group Policy: June 14, 2016
3163017 Cumulative update for Windows 10: June 14, 2016
3163018 Cumulative update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview 4: June 14, 2016
3163016 Cumulative Update for Windows Server 2016 Technical Preview 5: June 14 2016

Symptoms

All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.

Cause

This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.

Resolution

To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:

- Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
- If you are using security filtering, add the Domain Computers group with read permission.

See this link Deploy MS16-072 which explains everything and offers script to repair the affected GPOs. The script adds Authenticated users read permissions to all GPOs which have no permission for Authenticated users.

# Copyright (C) Microsoft Corporation. All rights reserved.

$osver = [System.Environment]::OSVersion.Version
$win7 = New-Object System.Version 6, 1, 7601, 0

if($osver -lt $win7)
{
    Write-Error "OS Version is not compatible for this script. Please run on Windows 7 or above"
    return
}

Try
{
    Import-Module GroupPolicy
}
Catch
{
    Write-Error "GP Management tools may not be installed on this machine. Script cannot run"
    return
}

$arrgpo = New-Object System.Collections.ArrayList

foreach ($loopGPO in Get-GPO -All)
{
    if ($loopGPO.User.Enabled)
    {
        $AuthPermissionsExists = Get-GPPermissions -Guid $loopGPO.Id -All | Select-Object -ExpandProperty Trustee | ? {$_.Name -eq "Authenticated Users"}
        If (!$AuthPermissionsExists)
        {
            $arrgpo.Add($loopGPO) | Out-Null
        }
    }
}

if($arrgpo.Count -eq 0)
{
    echo "All Group Policy Objects grant access to 'Authenticated Users'"
    return
}
else
{
    Write-Warning  "The following Group Policy Objects do not grant any permissions to the 'Authenticated Users' group:"
    foreach ($loopGPO in $arrgpo)
    {
        write-host "'$($loopgpo.DisplayName)'"
    }
}

$title = "Adjust GPO Permissions"
$message = "The Group Policy Objects (GPOs) listed above do not have the Authenticated Users group added with any permissions. Group policies may fail to apply if the computer attempting to list the GPOs required to download does not have Read Permissions. Would you like to adjust the GPO permissions by adding Authenticated Users group Read permissions?"

$yes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes", `
    "Adds Authenticated Users group to all user GPOs which don't have 'Read' permissions"
$no = New-Object System.Management.Automation.Host.ChoiceDescription "&No", `
    "No Action will be taken. Some Group Policies may fail to apply"
$options = [System.Management.Automation.Host.ChoiceDescription[]]($yes, $no)
$result = $host.ui.PromptForChoice($title, $message, $options, 0)  
$appliedgroup = $null
switch ($result)
{
    0 {$appliedgroup = "Authenticated Users"}
    1 {$appliedgroup = $null}
}
If($appliedgroup)
{
    foreach($loopgpo in $arrgpo)
    {
        write-host "Adding 'Read' permissions for '$appliedgroup' to the GPO '$($loopgpo.DisplayName)'."
        Set-GPPermissions -Guid $loopgpo.Id -TargetName $appliedgroup -TargetType group -PermissionLevel GpoRead | Out-Null
    }
}

If you preffer to set the read permission for Domain Computers (as I do) rather than Authenticated Users just change this 0 {$appliedgroup = "Authenticated Users"} to that 0 {$appliedgroup = "Domain Computers"}

41,965

Daniel

Updated on September 18, 2022

Comments

Daniel over 1 year

I have a Windows Server 2012 R2 Domain.

Yesterday, a computer’s (running Windows 10 Pro) network drive stopped working.

After further investigation (gpresult /h) it appears ALL group policy objects are failing with the reason Inaccessible, Empty, or Disabled.

I have confirmed that all the GPOs still exist and are enabled on both (redundant and local) domain controllers. Furthermore, there are 20 other machines on the same domain and LAN with absolutely no problems.

However, there is one other computer that I tested which presented with the same problem! Does that mean the problem is with the servers?

gpresult /r reports that one client is getting GPOs from local DC1, and the other from DC2. So it is not a problem related to a specific DC.

gpupdate /force fixed nothing (though it claimed that policies were applied).

I tried deleting the registry entries for local policies (following this guide https://superuser.com/questions/379908/how-to-clear-or-remove-domain-applied-group-policy-settings-after-leaving-the-do) and rebooting - same problem.

I found this support page from Microsoft (https://support.microsoft.com/en-us/kb/2976965), but it claims it only applies to Windows 7 or earlier clients.

All my machines (both server and client) are running 64-bit versions and are fully updated. I have rebooted all of them just to be sure.
- joeqwerty almost 8 years
  
  support.microsoft.com/en-us/kb/3163622
- Daniel almost 8 years
  
  Thanks. Your comment provided the clue to the solution. See below.
Daniel almost 8 years

Looks like I will tentatively mark this as the answer. I added “Domain Computers” with read access to my security filtering and now at least one of the computers with the problem is working. So I assume a patch automatically applied itself to the server via Windows Update and caused this problem. Now I’m also wondering what the difference is between the Delegation tab for a GPO and the Security Filtering section ... time to read up
Adwaenyth almost 8 years

To add a little to the confusion, for me it was necessary to add the security group containing the user AND the group containing the computer for the policy to apply. Adding only one (either user or computer) would result in the policy not getting applied. It doesn't necessarily need to be the Domain Computers group, just the combination of user and computer must be valid in the security filtering if the policy should apply.
Brain Foo Long almost 8 years

That fixed it for our company -> Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO). Big thx
Sephethus almost 8 years

That doesn't appear to be an actual solution as I don't want everyone to have that GPO applied, just specific people in the group. Why is MS still deploying this in Windows Update? It breaks everything.
Sephethus almost 8 years

Yeah problem is many of them did have user settings as well as computer settings, in fact most had computer settings that only affect users in a specific group.