[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


dcgpofix preparations

Posted on 2007-11-28
Medium Priority
Last Modified: 2008-05-31
Our old IT staff made some major changes to the default domain policy and default domain controller policies.  Over the past few months we've broken most of the necessary settings into individual GPOs and applied them to the appropriate OUs.  

There are still some settings that I can't seem to un-do in the Default policies, for example we have an "extra registry settings" section in our User Configuration\Administrative Templates\Extra Registry Settings\ on both default domain policy and default DC policies.  

To remedy these problems and start from scratch with default domain and default DC policies, I'd like to use dcgpofix to reset those two policies to an out of the box state.  
The reason I'm doing this is because we're having some strange issues with policies not replicating to the clients, even when running gpupdate /force we still see a lot of computers that don't get the correct policies and that have problems with published applications.  Many of the errors logged on the clients are generic, "Check to make sure that you have access to the installation folder, etc..." I know the access rights are configured correctly because not all clients are affected by these widespread issues.  I'm not sure if this will fix or help to fix our problems, but I think it will be a good place to start.

I have a few questions that I haven't been able to find answers to so far:
I've never worked anywhere where the default domain policies have been so heavily modified, I'm just looking for someone who's done this before and the problems that they encountered as a result of this utility.
Will this utility reset the policies back to when we upgraded our DC's to 2003 or just the default out of the box configuration for 2003 server?
We're using RIS, will we need to reconfigure all of our RIS settings and start from scratch with RIS?
Will there be any negative impact on Exchange 2003 sp2?

Thanks in advance for your help.
Question by:hh_techservices
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 51

Expert Comment

ID: 20370214
Yes, there are negative effects on Exchange when you do this.

You can use GPMC and backup the policies, then restore them to the fixed policies, but I think that will simply return all the bad entries too.

You'll have to see where the registry adm is located and figure out what keys were touched.  Create a script to revert those registry settings then put it in a Startup script for the workstations.  This will fix the clients.
At the same time, rename the ADM so it can't be picked up again.  Track down the gpt.ini for that policy and scrub it of these entries from the registry adm and you should be all set.

Registry-based ADMs will tatoo the registry on whatver machines it touches.

Expert Comment

ID: 20372132
Assigning and publish application from GPO has never been very reliable.  It does work given enough time.

DCgpofix tool :


"If your network uses RIS with Windows 2000 Server, you should make the RIS server the first computer that you upgrade to Windows Server 2003. You won’t be able to use RIS later unless it is upgraded first because of design changes in the way that Active Directory performs authentication. Upgrading the RIS server to Windows Server 2003 gives it the ability to communicate with the remaining Windows 2000 domain controllers, as well as with Windows Server 2003 domain controllers." (download.microsoft.com/download/9/9/6/996f17f2-e008-4581-a26f-9098f87690e2/Upgwin2k.doc)

Author Comment

ID: 20374077
Netman66- There's only one "registry" based .adm that I'm worried about... it's Software\Policies\Microsoft\Windows\Network Connections\NC_ShowSharedAccessUI.

This policy was probably set before we upgraded to 2003?? but it's now an option in xp/2003.  In a group policy you can configure Computer Configuration\Administrative Templates\Network Connections\Prohibit use of Internet Connection Sharing on your DNS domain network.  Whether or not this option is configured on the clients doesn't really matter to me... And after checking a handful of our workstations that should have the registry entry... none of them did.  So it would appear that the .adm portion of this policy isn't working anymore, which is fine by me.

You said that we will have negative effects on Exchange, specifically what kind of problems will we experience with exchange and what can I do to prevent or remedy these problems?


LVL 51

Accepted Solution

Netman66 earned 2000 total points
ID: 20375388
Exchange adds some things to the Default Domain and Default Domain Controller policies - specifically, accounts to certain policy elements.

Simon would likely know just what, as I'm not perfectly certain.

All I know is that Exchange will stop working properly - for example sending mail, and maybe even the service startup on reboot.  I've run into this with a few people already and restoring the old policies returned it to service.

I'm sure if I spent an hour or two I could figure out what changes, but I don't have the cycles to look at this in that detail.

I just wanted to warn you to tread carefully if that was what you were going to ultimately do.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Here's a look at newsworthy articles and community happenings during the last month.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question