2008/2008r2 Wolftech Default Domain Policy Change

From 5pm-8pm there was intermittent access to DFS in the WolfTech AD domain. The culprit for the problems seen earlier was determined to be a portion of the 2008/2008r2 policies implemented at the end of January: http://sysnews.ncsu.edu/news/4d33a91d

There is a startup script that runs and removes the “Domain Users” and “Authenticated Users” groups from the local “Users” group on the server. As it is a startup script, it is only applied at reboot. This particular change would primarily affect file, print, and web servers.

Due to the unexpected issues that this has caused (despite being good security practice) AND the fact that the “Late” patches were released from WSUS earlier today (meaning that many servers will apply them and reboot @ 3am tonight) we are pulling this script until we can discuss the impact further later this month.

The Group Policies having this script removed are as follows:

  • Wolftech Default Domain Policy – WS08
  • Wolftech Default Domain Policy – WS08R2