dcgpofix preparations
Our old IT staff made some major changes to the default domain policy and default domain controller policies. Over the past few months we've broken most of the necessary settings into individual GPOs and applied them to the appropriate OUs.
There are still some settings that I can't seem to un-do in the Default policies, for example we have an "extra registry settings" section in our User Configuration\Administrati
To remedy these problems and start from scratch with default domain and default DC policies, I'd like to use dcgpofix to reset those two policies to an out of the box state.
http://technet2.microsoft.com/windowsserver/en/library/48872034-1907-4149-b6aa-9788d38209d21033.mspx?mfr=true
The reason I'm doing this is because we're having some strange issues with policies not replicating to the clients, even when running gpupdate /force we still see a lot of computers that don't get the correct policies and that have problems with published applications. Many of the errors logged on the clients are generic, "Check to make sure that you have access to the installation folder, etc..." I know the access rights are configured correctly because not all clients are affected by these widespread issues. I'm not sure if this will fix or help to fix our problems, but I think it will be a good place to start.
I have a few questions that I haven't been able to find answers to so far:
I've never worked anywhere where the default domain policies have been so heavily modified, I'm just looking for someone who's done this before and the problems that they encountered as a result of this utility.
Will this utility reset the policies back to when we upgraded our DC's to 2003 or just the default out of the box configuration for 2003 server?
We're using RIS, will we need to reconfigure all of our RIS settings and start from scratch with RIS?
Will there be any negative impact on Exchange 2003 sp2?
Thanks in advance for your help.
There are still some settings that I can't seem to un-do in the Default policies, for example we have an "extra registry settings" section in our User Configuration\Administrati
To remedy these problems and start from scratch with default domain and default DC policies, I'd like to use dcgpofix to reset those two policies to an out of the box state.
http://technet2.microsoft.com/windowsserver/en/library/48872034-1907-4149-b6aa-9788d38209d21033.mspx?mfr=true
The reason I'm doing this is because we're having some strange issues with policies not replicating to the clients, even when running gpupdate /force we still see a lot of computers that don't get the correct policies and that have problems with published applications. Many of the errors logged on the clients are generic, "Check to make sure that you have access to the installation folder, etc..." I know the access rights are configured correctly because not all clients are affected by these widespread issues. I'm not sure if this will fix or help to fix our problems, but I think it will be a good place to start.
I have a few questions that I haven't been able to find answers to so far:
I've never worked anywhere where the default domain policies have been so heavily modified, I'm just looking for someone who's done this before and the problems that they encountered as a result of this utility.
Will this utility reset the policies back to when we upgraded our DC's to 2003 or just the default out of the box configuration for 2003 server?
We're using RIS, will we need to reconfigure all of our RIS settings and start from scratch with RIS?
Will there be any negative impact on Exchange 2003 sp2?
Thanks in advance for your help.
Assigning and publish application from GPO has never been very reliable. It does work given enough time.
DCgpofix tool :
http://support.microsoft.com/kb/833783
RIS -
"If your network uses RIS with Windows 2000 Server, you should make the RIS server the first computer that you upgrade to Windows Server 2003. You won’t be able to use RIS later unless it is upgraded first because of design changes in the way that Active Directory performs authentication. Upgrading the RIS server to Windows Server 2003 gives it the ability to communicate with the remaining Windows 2000 domain controllers, as well as with Windows Server 2003 domain controllers." (download.microsoft.com/do
DCgpofix tool :
http://support.microsoft.com/kb/833783
RIS -
"If your network uses RIS with Windows 2000 Server, you should make the RIS server the first computer that you upgrade to Windows Server 2003. You won’t be able to use RIS later unless it is upgraded first because of design changes in the way that Active Directory performs authentication. Upgrading the RIS server to Windows Server 2003 gives it the ability to communicate with the remaining Windows 2000 domain controllers, as well as with Windows Server 2003 domain controllers." (download.microsoft.com/do
ASKER
Netman66- There's only one "registry" based .adm that I'm worried about... it's Software\Policies\Microsof
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/92809.mspx?mfr=true
This policy was probably set before we upgraded to 2003?? but it's now an option in xp/2003. In a group policy you can configure Computer Configuration\Administrati
You said that we will have negative effects on Exchange, specifically what kind of problems will we experience with exchange and what can I do to prevent or remedy these problems?
Thanks
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/92809.mspx?mfr=true
This policy was probably set before we upgraded to 2003?? but it's now an option in xp/2003. In a group policy you can configure Computer Configuration\Administrati
You said that we will have negative effects on Exchange, specifically what kind of problems will we experience with exchange and what can I do to prevent or remedy these problems?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can use GPMC and backup the policies, then restore them to the fixed policies, but I think that will simply return all the bad entries too.
You'll have to see where the registry adm is located and figure out what keys were touched. Create a script to revert those registry settings then put it in a Startup script for the workstations. This will fix the clients.
At the same time, rename the ADM so it can't be picked up again. Track down the gpt.ini for that policy and scrub it of these entries from the registry adm and you should be all set.
Registry-based ADMs will tatoo the registry on whatver machines it touches.