dcgpofix preparations

Our old IT staff made some major changes to the default domain policy and default domain controller policies.  Over the past few months we've broken most of the necessary settings into individual GPOs and applied them to the appropriate OUs.  

There are still some settings that I can't seem to un-do in the Default policies, for example we have an "extra registry settings" section in our User Configuration\Administrative Templates\Extra Registry Settings\ on both default domain policy and default DC policies.  

To remedy these problems and start from scratch with default domain and default DC policies, I'd like to use dcgpofix to reset those two policies to an out of the box state.  
The reason I'm doing this is because we're having some strange issues with policies not replicating to the clients, even when running gpupdate /force we still see a lot of computers that don't get the correct policies and that have problems with published applications.  Many of the errors logged on the clients are generic, "Check to make sure that you have access to the installation folder, etc..." I know the access rights are configured correctly because not all clients are affected by these widespread issues.  I'm not sure if this will fix or help to fix our problems, but I think it will be a good place to start.

I have a few questions that I haven't been able to find answers to so far:
I've never worked anywhere where the default domain policies have been so heavily modified, I'm just looking for someone who's done this before and the problems that they encountered as a result of this utility.
Will this utility reset the policies back to when we upgraded our DC's to 2003 or just the default out of the box configuration for 2003 server?
We're using RIS, will we need to reconfigure all of our RIS settings and start from scratch with RIS?
Will there be any negative impact on Exchange 2003 sp2?

Thanks in advance for your help.
hh_techservicesIT DirectorAsked:
Who is Participating?
Netman66Connect With a Mentor Commented:
Exchange adds some things to the Default Domain and Default Domain Controller policies - specifically, accounts to certain policy elements.

Simon would likely know just what, as I'm not perfectly certain.

All I know is that Exchange will stop working properly - for example sending mail, and maybe even the service startup on reboot.  I've run into this with a few people already and restoring the old policies returned it to service.

I'm sure if I spent an hour or two I could figure out what changes, but I don't have the cycles to look at this in that detail.

I just wanted to warn you to tread carefully if that was what you were going to ultimately do.
Yes, there are negative effects on Exchange when you do this.

You can use GPMC and backup the policies, then restore them to the fixed policies, but I think that will simply return all the bad entries too.

You'll have to see where the registry adm is located and figure out what keys were touched.  Create a script to revert those registry settings then put it in a Startup script for the workstations.  This will fix the clients.
At the same time, rename the ADM so it can't be picked up again.  Track down the gpt.ini for that policy and scrub it of these entries from the registry adm and you should be all set.

Registry-based ADMs will tatoo the registry on whatver machines it touches.
Assigning and publish application from GPO has never been very reliable.  It does work given enough time.

DCgpofix tool :


"If your network uses RIS with Windows 2000 Server, you should make the RIS server the first computer that you upgrade to Windows Server 2003. You won’t be able to use RIS later unless it is upgraded first because of design changes in the way that Active Directory performs authentication. Upgrading the RIS server to Windows Server 2003 gives it the ability to communicate with the remaining Windows 2000 domain controllers, as well as with Windows Server 2003 domain controllers." (download.microsoft.com/download/9/9/6/996f17f2-e008-4581-a26f-9098f87690e2/Upgwin2k.doc)
hh_techservicesIT DirectorAuthor Commented:
Netman66- There's only one "registry" based .adm that I'm worried about... it's Software\Policies\Microsoft\Windows\Network Connections\NC_ShowSharedAccessUI.

This policy was probably set before we upgraded to 2003?? but it's now an option in xp/2003.  In a group policy you can configure Computer Configuration\Administrative Templates\Network Connections\Prohibit use of Internet Connection Sharing on your DNS domain network.  Whether or not this option is configured on the clients doesn't really matter to me... And after checking a handful of our workstations that should have the registry entry... none of them did.  So it would appear that the .adm portion of this policy isn't working anymore, which is fine by me.

You said that we will have negative effects on Exchange, specifically what kind of problems will we experience with exchange and what can I do to prevent or remedy these problems?


Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.