GPO report is not generated if Authenticated Users group is removed (NETIQKB71341)

GPO report is not generated if Authenticated Users group is removed.

If you remove the Authenticated Users group from Delegation tab of a Repository GPO, then the GPO settings report is not generated and ?Error encountered while generating the report.? Message is displayed.

Please notice that this scenario only happen if the Repository GPO has been created, imported on migrated inside a trusted domain (forest or external trust relation-ship between the forests).

If you try the same steps for a GPO created, imported or migrated in the same domain or a child domain, the GPO settings report is generated.

The workaround in such cases is that as a GPA administrator if you remove the 'Authenticated users' from the GPO, then you have to explicitly assign yourself at least 'Read' permissions in order to be able to generate/see the settings report.  If an administrator with higher authority, who needs to approve the change in the repository, wants to see the settings report before approving it, then he has to be explicitly assigned 'Read' permissions on the GPO as well.

The software is working as expected. If you remove 'Authenticated Users' from the GPO, then you cannot see its settings in a report - by that yardstick, the software is working correctly.  However look at it from a perspective of a GPA administrator who is removing 'Authenticated Users' and adding a specific set of users to the GPO. When he makes such a change in the repository and wants to roll it out into AD, then there is no way he can see the settings that he has
edited/defined. If he (or anyone else) cannot see the settings, then the GPO cannot be approved and exported.

Formerly known as NETIQKB71341