Friday, January 25, 2013 7:32 PM
I have an issue with a very small business environment and would very much appreciate someone else's opinion on this. There was an existing Windows Server 2008 R2 domain controller running AD-DS in this environment when I began working with it. The server was running two obscure business applications and there weren't any workstations or additional servers participating in the domain. The server was and is hosting AD-DS, DNS, and DHCP. From what I can tell ADDS was primarily being used for VPN access through the Cisco ASA 5505 in the environment.
The project I took on was to introduce a new Windows 2012 server configured with Hyper-V , AD-DS, DNS, and DHCP roles, migrate the two business applications currently residing on the Windows 2008 R2 server to their own Windows 2012 server VMs, add the workstations in the office to the domain, reconfigure the ASA 5505 so that the various business applications work, and add a second ASA 5505 as a shelf-spare.
As soon as I joined the two workstations (Windows 7 and Windows Vista) to the domain they immediately locked down. I found that whoever previously configured the domain set the Default Domain Policy to lock down users more than I've ever seen in a production environment. Users couldn't reboot, save files, couldn't change anything on the system. I went through the GPO and removed all of the lock-down settings, forced an update and the Windows 7 workstation began working properly. Nothing changed with the Vista workstation.
Since there are two DCs in the environment I verified that the policy replicated. I removed the Enfored option and added it back. Still no change to the vista box. This would still be something that I was researching but today when the user came in to the office and logged into the Windows 7 box the locked-down settings were in effect again. I've looked at both DCs and I can't find any reason for this to be happening. My questions are:
1. Why would the Vista workstation not accept the opened GPO? It did after all accept the locked-down version when it was first joined to the domain.
2. Why would the Windows 7 workstation revert back to a locked down version on the GPO? Since the lock-down settings are no longer configured in the GPO what could be writing them locally?
Thank you in advance...
Friday, January 25, 2013 7:47 PM
I stopped by reading "changed the Default Domain Policy".
Not realy ;-) But first at all - NEVER CHANGE A DEFAULT DOMAIN POLICY.
My recomendation would be that you reset everything to default and when you have the basic status you can lock down whatever you want. How to do that?
- Log on as a domain administrator to a DC.
- Start a command session.
- To reset the Domain GPO, type dcgpofix /target:Domain
- To reset the Default DC GPO, type dcgpofix /target:DC
- To reset both the Domain and Default DC GPOs, type dcgpofix /target:both
- After you enter the appropriate command in Step 3, enter Y to both prompts.
- Force AD replication
- Close the command window and you need to wait ca. 15 to 20 minutes
- Reboot all (!) DC's
- Reboot the Workstations
- Logon to the DC
- Create a NEW GPO
- Now you have factory default an can start again with lock down whatever you want and need
You can try to find the problem and search for the next 5 or 10 hours but this is a quicker solution.
Friday, January 25, 2013 11:20 PM
Thank you Torsten,
I agree about not changing the default. I removed the changes but did not reset it. When I try to reset with DCGPOFix it just says "The parameter is incorrect. The restore failed see previous messages for more details". The previous messages say nothing more than the standard information and warning. Any ideas why?
Saturday, January 26, 2013 10:29 AM
To use the "dcgpofix /Target: BOTH" command and get the "The parameter is incorrect" error is just easy.
Therefore, please don't input a blank between the "/Target:" and "BOTH" parameter.
Monday, January 28, 2013 12:26 PM> began working properly. Nothing changed with the Vista workstation.Open an elevated commandline, type "gpresult /h report.html" on bothmachines and compare the applied/denied GPO list.regards, Martin
NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
- Marked As Answer by JEthridge Thursday, January 31, 2013 6:59 PM
Tuesday, January 29, 2013 9:39 AMModerator
If you want to reset Default Domain Policy, I suggest we could refer to the following article.
Regarding the detailed information about Dcgpofix, please refer to the article below.
Hope this helps.
TechNet Community Support