In the past, for the convenience of management or other purposes, we issued the user policy in the group policy through GPMC (such as user folder redirection), just link this policy to the user's peer\superior OU, and then in " Select the user (or the user group the user belongs to) in Security Filtering . However, in October last year, when a virtual machine template was packaged, all the security patches of win7 pro sp1 x64 were updated. Because the update was based on the original template, there was no comprehensive test (some necessary tests were also used locally in the system). Administrator login), directly use this template to create a new virtual machine for colleagues to use. After colleagues log in with domain users, they find that all user-based policies are invalid! ! !
At this time, under the influence of empiricism, the routine sysvol inspection and gpresult analysis wasted a lot of time.
After thinking about it, the difference before and after the template is the version of some applications and the number of Microsoft patches. So copy a template, start with the Microsoft patch, delete one by one, delete one test once. After deleting KB3159398, the user policy is restored. Baidu Zhi: Microsoft's KB3159398 description . Microsoft has said in black and white about the impact of this patch, and gave a solution:
symptom
All User Group Policies, including those with security filtering on user accounts or security groups, may not apply to domain-joined computers.
reason
This problem may occur if the Group Policy Object is missing the Read permission for the Authenticated Users group, or if you are using security filtering and lacking the Read permission for the Computers group in the domain.
Resolution
To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of these steps:
Add the Authenticated Users group with read permissions on the Group Policy Object (GPO) .
If you are using security filtering, add the Domain Computers group with read permissions .
/* Google translation of the original text, you can understand the general meaning*/
The 2 unordered list contents in "resolution" is the solution.
The first approach is obviously impractical.
The second method means that the computer object that wants to take effect of the user group policy is also added to the security filter, which also means that the method of only filtering or delegating the hit user\user group to make the policy take effect will no longer exist.
In layman's terms, the computer after the KB3159398 patch needs to implement the user group policy issued by GPMC. The security screening or delegation of the policy must select the two objects of this computer and the user at the same time!
Of course, win7, to be precise, is the operating system of the Windows NT 6.1 kernel version, you can choose not to install this patch, or uninstall it, but win10 has integrated this patch, and there is no way to uninstall it. What's more, among our service objects, there are not a few obsessive-compulsive users who use third-party software to upgrade patches. (I changed the Windows Update server address at GPMC, and the firewall blocked the download traffic of mainstream security software patches (some 60, a housekeeper, etc.). But there are still fish that slip through the net, and there is no way to revolve around this matter every day.)
So, make it a habit and change your management methods!