Select Page

Now that we are all digging out from MS16-072, and the reality that it likely won’t be “fixed” anytime soon, I think it’s worthwhile to drop a quick blog post about how you can ensure that all GPOs that get created going forward in your environment, get the proper read permissions on them. A long time ago, I blogged about how you could add additional groups to the default GPO ACL by modifying the defaultSecurityDescriptor attribute on the group-policy-container AD schema class. This method is well documented by Microsoft and indeed will allow you to add Default Computers with read access to every new GPO that gets created to address future problems with MS16-072. The process is relatively simple (or as simple as a schema change in AD can be).

The first step, is that you obviously need permissions to make such a change. This means that you need to be a member of the Schema Admins group in AD. Here are the next steps. I probably don’t need to say this but MODIFYING THE SCHEMA SHOULD NOT BE TAKEN LIGHTLY!!!! SO BE CAREFUL.

1.If you have the AD tools installed on your server or workstation, fire up ADSIEdit.msc and, from the Action, Connect To menu, connect to the schema instance of your domain:

Connecting to the AD Schema in ADSIEdit

Connecting to the AD Schema in ADSIEdit

 

 

 

 

 

 

 

 

 

2. Once connected to the schema, expand the CN=Schema, CN=Configuration… tree to view all of the class and attribute objects on the right. Navigate down to CN=Group-Policy-Container, as shown here:
The Group Policy Container class in ADSIEdit

The Group Policy Container class in ADSIEdit

 

 

 

 

 

 

3. Double-click the group-policy-container class to bring up it’s attributes and navigate down to the defaultSecurityDescriptor attribute. Double-click that attribute and you will see a dialog with a long list of Security Descriptor Definition Language (SDDL) strings. Each group of SDDL strings in parentheses represent a default permission on the GPO.

4. The first thing I would do is select the whole SDDL string on the attribute and copy/paste it into Notepad so you have a backup of the pristine value in case something goes wrong. Next, put your cursor at the very end of that long string, after the last closing parentheses and paste the following SDDL string into the attribute value:

(A;CI;LCRPLORC;;;DC)

so it looks like the following (a good explanation of SDDL strings is here: https://jorgequestforknowledge.wordpress.com/2008/03/26/parsing-sddl-strings/):

Updating SDDL strings in group-policy-container class

Updating SDDL strings in group-policy-container class

 

 

 

 

 

 

 

 

 

 

5. Press OK to commit the change. The last thing you need to do, for this to take effect, is to reload the schema.

6. Load the AD Schema MMC snap-in (if you don’t see the snap-in appear in the MMC list, open an elevated command prompt and type regsvr32 schmmgmt.dll then restart MMC and it should appear), right-click the top level “Active Directory Schema” node and select “Reload the Schema” as shown here:

Reloading the AD Schema

Reloading the AD Schema

 

 

 

 

 

 

 

 

7. Once completed, when you create a new GPO, you will see, under the delegation tab, the new Domain Computers group with Read permissions, as shown here:

A new GPO with Default Computers read permissions

A new GPO with Default Computers read permissions

 

 

 

 

 

All future GPOs should now function properly in the brave new MS16-072 world!

 

Darren