Good afternoon,
I have an issue with a very small business environment and would very much appreciate someone else's opinion on this. There was an existing Windows Server 2008 R2 domain controller running AD-DS in this environment when I began working with it. The server was running two obscure business applications and there weren't any workstations or additional servers participating in the domain. The server was and is hosting AD-DS, DNS, and DHCP. From what I can tell ADDS was primarily being used for VPN access through the Cisco ASA 5505 in the environment.
The project I took on was to introduce a new Windows 2012 server configured with Hyper-V , AD-DS, DNS, and DHCP roles, migrate the two business applications currently residing on the Windows 2008 R2 server to their own Windows 2012 server VMs, add the workstations in the office to the domain, reconfigure the ASA 5505 so that the various business applications work, and add a second ASA 5505 as a shelf-spare.
As soon as I joined the two workstations (Windows 7 and Windows Vista) to the domain they immediately locked down. I found that whoever previously configured the domain set the Default Domain Policy to lock down users more than I've ever seen in a production environment. Users couldn't reboot, save files, couldn't change anything on the system. I went through the GPO and removed all of the lock-down settings, forced an update and the Windows 7 workstation began working properly. Nothing changed with the Vista workstation.
Since there are two DCs in the environment I verified that the policy replicated. I removed the Enfored option and added it back. Still no change to the vista box. This would still be something that I was researching but today when the user came in to the office and logged into the Windows 7 box the locked-down settings were in effect again. I've looked at both DCs and I can't find any reason for this to be happening. My questions are:
1. Why would the Vista workstation not accept the opened GPO? It did after all accept the locked-down version when it was first joined to the domain.
2. Why would the Windows 7 workstation revert back to a locked down version on the GPO? Since the lock-down settings are no longer configured in the GPO what could be writing them locally?
Thank you in advance...