In the past, in order to facilitate management or other purposes, we sent the user policy in Group Policy through the GPMC (for example, user folder redirection), simply link this policy to the user's sibling \ Ancestor OU, and then in the " Security filtering " Select the user (or the user group in which the user is located). However, last October, when a virtual machine template was packaged, all the security patches for the Win7 Pro SP1 x64 were updated because they were updated on the original template, so there was no thorough testing (some of the necessary tests were also logged in with the local administrator of the system). Using this template to create a new virtual machine for colleagues to use, colleagues with the domain user login, found that all policies based on the user are all invalid!!!
At this time again by the empirical influence, the routine SYSVOL examination, gpresult analysis, wasted a lot of hours.
After thinking, the pre-and post-template differences are the version of some applications and the number of Microsoft patches. So copy a template, from the Microsoft patch, one by one, delete a test once. After the KB3159398 is deleted, the user policy is restored. Baidu: Microsoft's KB3159398 description. Microsoft has written in black and white about the impact of this patch and has given a solution:
Symptoms
All user group policies, including user group policies that have security filtering on user accounts or security groups, may not be applied to domain-joined computers.
cause
This problem may occur if the Group Policy object is missing Read The permissions of the Authenticated Users group, or if you are using security filtering and missing Read The permissions of the computer group in the domain.
Degree of resolution
To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of these steps:
on a Group Policy object (GPO) Add with Read permission of the Authenticated Users Group.
If you are using security filtering, add have Read permission of the Domain Computers Group.
/* Original Google Translate, can read the general meaning of it * * *
The 2 unordered list content in resolution is the solution.
The first approach is obviously not practical.
The second way to do this is to add a computer object that wants to take effect. User Group Policy is also added to the security filter, which means that only filtering or delegating the ability to hit the user \ User group will take effect if the policy is no longer present.
Popular Point said, hit the KB3159398 patch of the computer, to perform the GPMC issued by the user Group Policy , the policy of security filtering or delegation must also select this computer and User 2 objects!
Of course, Win7, specifically, is the Windows NT 6.1 kernel version of the operating system, you can choose not to install this patch, or uninstall the incident, but WIN10, has integrated the patch, there is no way to uninstall. Not to mention our service objects, the use of third-party software to upgrade patches of obsessive-compulsive users. (I changed the Windows Update server address in GPMC, and the firewall blocked the mainstream security software patch download traffic (some 60 stewards, and the like). But there will be a slip, and there is no way to revolve around this thing every day. )
So, be a habit, change the management Method!
Wondering: When Windows 7 hits the KB3159398 patch, what does the GPMC do with user-object-based policies?