Setup was simple, 10 Win7 Pro computers to be setup in a computer lab. They're replacing some XP computers that used SteadyState to lock them down.
There is no SteadyState for Win7, only good ol' fashioned Group Policy.
Sent armed with the knowledge that SteadyState==Group Policy==Registry Tweaks, I figured he'd do fine.
He came from identical education (the same instructors, even), and had been learning the trade for many months now, so I was certain he was aware of the hidden dangers of Group Policy.
He carefully crafted a 'lockdown' GPO, to keep the lab computers safe. It worked well in principle, except that the computer policies never applied, the GPO wasn't configured to affect the OUs where the computer accounts lurked; only the user settings successfully stuck.
When he asked, "How do I get these computer settings to apply?" I responded, "Link the OU to the top of the domain, and apply the proper users/groups/computers to the Security Filtering." "Be sure to remove all the previous Security Filters, or you could lock down the entire domain," I cautioned.
Well, that last part went unheeded, so tomorrow morning I have to figure out how to remove a group policy object from a locked out, locked down Domain Controller.
If you have suggestions on how to repair, please hold off. I want a chance at fixing this without assistance.
</rant>
[link] [2 comments]