Computer not updating gpo
If adding “Authenticated Users” with just “Read” permissions is not an option in your environment, then you will need to add the “Domain Computers” group with “Read” Permissions.
If you want to limit it beyond the Domain Computers group: Administrators can also create a new domain group and add the computer accounts to the group so you can limit the “Read Access” on a Group Policy Object (GPO).
If permissions on any of the Group Policy Objects in your active Directory domain have not been modified, are using the defaults, and as long as Kerberos authentication is working fine in your Active Directory forest (i.e.
there are not Kerberos errors visible in the system event log on client computers while accessing domain resources), there is nothing else you need to make sure before you deploy the security update.
Notice that no other user or group is included to have “Read” or “Apply Group Policy” permissions other than the default Domain Admins and Enterprise Admins.
The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle (Mi TM) attack against the traffic passing between a domain controller and the target machine on domain-joined Windows computers.Select and Deploy GPOs again: Note: To modify permissions on multiple AGPM-managed GPOs, use shift click or ctrl click to select multiple GPO’s at a time then deploy them in a single operation. The targeted GPO now have the new permissions when viewed in AD: Below are some Frequently asked Questions we have seen: Q1) Do I need to install the fix on only client OS? A1) It is recommended you patch Windows and Windows Server computers which are running Windows Vista, Windows Server 2008 and newer Operating Systems (OS), regardless of SKU or role, in your entire domain environment.These updates only change behavior from a client (as in “client-server distributed system architecture”) standpoint, but all computers in a domain are “clients” to SYSVOL and Group Policy; even the Domain Controllers (DCs) themselves Q2) Do I need to enable any registry settings to enable the security update?In some deployments, administrators may have removed the “Authenticated Users” group from some or all Group Policy Objects (Security filtering, (Name of the Group Policy Object) to only apply to the user with name “MSFT Ajay” and not to any other user, then the above is how the Group Policy would have been filtered for other users.“Authenticated Users” has been removed intentionally in the above example scenario.