dcgpofix preparations

Posted on 2007-11-28
Last Modified: 2008-05-31
Our old IT staff made some major changes to the default domain policy and default domain controller policies.  Over the past few months we've broken most of the necessary settings into individual GPOs and applied them to the appropriate OUs.  

There are still some settings that I can't seem to un-do in the Default policies, for example we have an "extra registry settings" section in our User Configuration\Administrative Templates\Extra Registry Settings\ on both default domain policy and default DC policies.  

To remedy these problems and start from scratch with default domain and default DC policies, I'd like to use dcgpofix to reset those two policies to an out of the box state.
The reason I'm doing this is because we're having some strange issues with policies not replicating to the clients, even when running gpupdate /force we still see a lot of computers that don't get the correct policies and that have problems with published applications.  Many of the errors logged on the clients are generic, "Check to make sure that you have access to the installation folder, etc..." I know the access rights are configured correctly because not all clients are affected by these widespread issues.  I'm not sure if this will fix or help to fix our problems, but I think it will be a good place to start.

I have a few questions that I haven't been able to find answers to so far:
I've never worked anywhere where the default domain policies have been so heavily modified, I'm just looking for someone who's done this before and the problems that they encountered as a result of this utility.
Will this utility reset the policies back to when we upgraded our DC's to 2003 or just the default out of the box configuration for 2003 server?
We're using RIS, will we need to reconfigure all of our RIS settings and start from scratch with RIS?
Will there be any negative impact on Exchange 2003 sp2?

Thanks in advance for your help.
Question by:hh_techservices
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 51

Expert Comment

ID: 20370214
Yes, there are negative effects on Exchange when you do this.

You can use GPMC and backup the policies, then restore them to the fixed policies, but I think that will simply return all the bad entries too.

You'll have to see where the registry adm is located and figure out what keys were touched.  Create a script to revert those registry settings then put it in a Startup script for the workstations.  This will fix the clients.
At the same time, rename the ADM so it can't be picked up again.  Track down the gpt.ini for that policy and scrub it of these entries from the registry adm and you should be all set.

Registry-based ADMs will tatoo the registry on whatver machines it touches.

Expert Comment

ID: 20372132
Assigning and publish application from GPO has never been very reliable.  It does work given enough time.

DCgpofix tool :


"If your network uses RIS with Windows 2000 Server, you should make the RIS server the first computer that you upgrade to Windows Server 2003. You won’t be able to use RIS later unless it is upgraded first because of design changes in the way that Active Directory performs authentication. Upgrading the RIS server to Windows Server 2003 gives it the ability to communicate with the remaining Windows 2000 domain controllers, as well as with Windows Server 2003 domain controllers." (

Author Comment

ID: 20374077
Netman66- There's only one "registry" based .adm that I'm worried about... it's Software\Policies\Microsoft\Windows\Network Connections\NC_ShowSharedAccessUI.
This policy was probably set before we upgraded to 2003?? but it's now an option in xp/2003.  In a group policy you can configure Computer Configuration\Administrative Templates\Network Connections\Prohibit use of Internet Connection Sharing on your DNS domain network.  Whether or not this option is configured on the clients doesn't really matter to me... And after checking a handful of our workstations that should have the registry entry... none of them did.  So it would appear that the .adm portion of this policy isn't working anymore, which is fine by me.

You said that we will have negative effects on Exchange, specifically what kind of problems will we experience with exchange and what can I do to prevent or remedy these problems?


LVL 51

Accepted Solution

Netman66 earned 500 total points
ID: 20375388
Exchange adds some things to the Default Domain and Default Domain Controller policies - specifically, accounts to certain policy elements.

Simon would likely know just what, as I'm not perfectly certain.

All I know is that Exchange will stop working properly - for example sending mail, and maybe even the service startup on reboot.  I've run into this with a few people already and restoring the old policies returned it to service.

I'm sure if I spent an hour or two I could figure out what changes, but I don't have the cycles to look at this in that detail.

I just wanted to warn you to tread carefully if that was what you were going to ultimately do.

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read…
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question