Microsoft Issues Guidance on Group Policy-Breaking Patches
Microsoft published new advice on how to repair the damage from broken Group Policy Objects from June's patches that had some IT professionals up in arms.Last month, Microsoft once again reminded the IT community about the importance of testing Windows operating system patches before deploying them to their entire fleet of user systems. June's patches for various Windows operating systems, including Windows Vista, Windows 10 and Server 2008, contained security updates that changed how user Group Policy Objects (GPO) work for many organizations. Update MS16-072 was issued to plug a vulnerability that could be used to mount a privilege escalation attack in the event of a man-in-the-middle attack against traffic flowing between target Windows systems and a domain controller. "An attacker could then create a group policy to grant administrator rights to a standard user," cautioned Microsoft in a June 14 security bulletin. "The security update addresses the vulnerability by enforcing Kerberos authentication for certain calls over LDAP [Lightweight Directory Access Protocol]." For unsuspecting systems administrators, the patches threw a wrench into their finely tuned Windows environments. On Twitter, support forums and other online communities, IT professionals blasted Microsoft for releasing a patch that broke their GPOs, causing networked printers and application shortcuts to vanish for some users while off-limits network drives appeared for others, among several other complaints.
As its name implies, a Group Policy Object describes a collection of Windows settings that is intended to be applied to the PCs of a select group of users in Active Directory environments. Enterprises use GPOs for centralized and streamlined management of Windows PCs used by their various departments and sites.