If a Group Policy Object should be applied to an end user this user must have two specific allow permissions: READ and APPLY GROUP POLICY.
By default a new GPO has a number of permissions with different access levels, but only one entry has both “read” and “apply group policy”: the special group “Authenticated Users“.
The KB article (KB3163622) has now been updated to show both the MS16-072 changes the security context with which user group policies are retrieved.
This by-design behavior change protects customers’ computers from a security vulnerability.
2008R2 Server, Win7 Clients I have a small domain with only three GPOs linked to the domain itself.
First (link order 1) is the Default Domain Policy, which was created automatically and has settings for password policies.
Before MS16-072 is installed, user group policies were retrieved by using the user’s security context.
After MS16-072 is installed, user group policies are retrieved by using the machines security context.
To accomplish the goal of central management of a group of computers, machines should receive and enforce GPOs.
A version of Group Policy called Local Group Policy ("LGPO" or "Local GPO") also allows Group Policy Object management on standalone and non-domain computers.
Group Policy, in part, controls what users can and cannot do on a computer system: for example, to enforce a password complexity policy that prevents users from choosing an overly simple password, to allow or prevent unidentified users from remote computers to connect to a network share, to block access to the Windows Task Manager or to restrict access to certain folders.
This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group Power Shell script: MS16-072 – Known Issue – Use Power Shell to Check GPOs So, while it seems Microsoft is sort of blaming customers for their implementations of Group Policy security, there's a bigger factor here I hope doesn't get lost in the shuffle.
We can thank Microsoft for delivering the recommended resolutions, but those didn't deliver until AFTER the patch caused customer pain.