After posting earlier this week about MS16-072, I’ve done quite a bit of investigation and sought advice from fellow MVPs (Jeremy Moskowitz and Darren Mar-Elia) who focus on Group Policy. Jeremy has a good post here that he’s done a lot more explanation on this change.
With respect specifically to SBS 2008 and SBS 2011 however, I’ve found that we can run Jeremy’s script but we need to make a minor change on SBS.
The modified version of the script is below and based on my testing, it appears to work and the SBS magic does not appear to undo it afterwards as I reported yesterday here
Get-GPO -All | Set-GPPermissions -TargetType Group -TargetName “Domain computers” -PermissionLevel GpoRead
This will be the method I will use for our clients now.
Thanks so much for Jeremy Moskowitz and Darren Mar-Elia as they helped investigate what I was seeing and some sidetracks I took along the way. Appreciate your help.
Jeremy Saunders says
You can also use my script: http://www.jhouseconsulting.com/2016/06/22/script-to-report-on-and-remediate-the-group-policy-security-change-in-ms16-072-1627
Kevin Royalty says
Wayne – i tried this on a test SBS2008 server and the import-module GroupPolicy returns an error about no valid module found. perchance do we need a certain version of powershell on sbs2008 for this to work?
Wayne Small says
I’ve tested using mainly on SBS 20011 – which has PowerShell 2.0 on it. Can you check what you have please?