After posting earlier this week about MS16-072, I’ve done quite a bit of investigation and sought advice from fellow MVPs (Jeremy Moskowitz and Darren Mar-Elia) who focus on Group Policy. Jeremy has a good post here that he’s done a lot more explanation on this change.
With respect specifically to SBS 2008 and SBS 2011 however, I’ve found that we can run Jeremy’s script but we need to make a minor change on SBS.
The modified version of the script is below and based on my testing, it appears to work and the SBS magic does not appear to undo it afterwards as I reported yesterday here
Get-GPO -All | Set-GPPermissions -TargetType Group -TargetName “Domain computers” -PermissionLevel GpoRead
This will be the method I will use for our clients now.
Thanks so much for Jeremy Moskowitz and Darren Mar-Elia as they helped investigate what I was seeing and some sidetracks I took along the way. Appreciate your help.