In our last newsletter on Patch Friday, we talked about denying patch KB3159398 because of the problems it would generate for you if you have a GPO that maps drives or printers. (If you missed this, you can review this InfoWorld article. )
We were unsuccessful in coming up with a working script that would remedy this for you. Trying to get some PowerShell scripts to run as an elevated user, just do not reliably work. What we ARE able to do is generate a nice audit of your GPOs based on the information supplied in this article
The script is located on ClubMSP and is called “GPO Patch audit (KB3159398)”. If you are on our hosted Kaseya servers, you will find it under “Patch Deployment” folder. When you execute this script it with audit the GPOs , and then email the administrator who ran the script with the results.
You should immediately:
- Use a view (i.e. zz[SYS] Policy – Role_Domain Controller) to only show your servers that have a Domain Controller role.
- Run this script on all of those machines.
In the email you will see two different subjects:
- If everything comes back with the correct “Authenticated User” permission, the subject line will read: OK – GPO Audit results for {xyxserver}. You can ignore these, they are informational.
- If any ONE of the GPOs doesn’t have the correct permission, you will get a subject line that reads: NEEDS REVIEW – GPO Audit results for {xyxserver} . These emails will need to be reviewed and remediated.
PLEASE NOTE: It is important that you remediate these ASAP, as we will likely approve the patch in the next 30 days.
If you have any questions please let us know.
