• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 354
  • Last Modified:

Resetting Group Policy on server with new DC

We just replaced an SBS 2003 box that crashed with an SBS 2008  brand new setup... readded user accounts manually etc.

In the setup is a secondary server running terminal services that was pulling it's group policy settings off of the old SBS 2003 box.  I'm running into some permission errors on the terminal server from the old GP.

How do I go about resetting the Group Policy on the 2nd server so it's like a fresh install?
0
Fluid_Imagery
Asked:
Fluid_Imagery
  • 12
  • 10
  • 4
  • +1
1 Solution
 
MightySWCommented:
First try removing it from DNS (forward and reverse) and do a ipconfig /registerDNS, do a gpupdate and reboot.  After bootup run GPRESULT and see if you are getting the new policies.  

You can also try the following:

try removing it from the domain and adding it back in.  Run GPRESULT afterwards and see what GP's it is pulling down and from where.

After you delete the computer account and remove it from the domain, be sure that you go into DNS and remove any instances of it in the forward and reverse lookup zones.

It is often a matter of time before residual computer GP's to eventually release and then be replaced by the new policies.  

If someone knows the correct GP flush method then I am all ears.

HTH
0
 
andrew_aj1Commented:
This should help you out:
http://support.microsoft.com/kb/324800
Good luck.
0
 
MightySWCommented:
Thats not what he is asking about.  That will reset the Default domain policy altogether.  He said that he is still getting residual GP's from the old 2k3 policy.  This Default domain policy has been replaced with the 2k8 policy...
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
ChiefITCommented:
There is a tool called GPOfix that resests the "default domain policy" and "default domain controller policy" back to the default settings. Interested in that tool?
0
 
Fluid_ImageryAuthor Commented:
MightySW  I tried a few of your suggestions but the server still isn't acting normally... simple example is that the Shut Down option is missing.  To restart the machine I need to go to CMD  - Shutdown /R

CheifIT: Is that only going to reset the one server and not the domain group policy?
0
 
ChiefITCommented:
For GPO fix it resets one or both of the following policies:

The "Default Domain Controller Policy"
The "Default Domain Policy"

Site, Forest, and OU policies can be unlinked and deleted to reset those.

So realistically, GPOfix resets the builtin policies.
_____________________________________________________________________________
However, I have to ask you a question. There may be another way to rebuild the policies. It actually rebuilds the sysvol and netlogon shares.

Let's say you are getting error 1030 and 1058 in event logs and you physically navigate to the sysvol folder and find the Group Policies are not there. You may not have to NIX your group policy objects. Instead, you can rebuild the sysvol and netlogon shares using the burflag method.

So, there may be another approach to fixing your issue, (if you are interested).

0
 
Fluid_ImageryAuthor Commented:
When I go to c:\System Volume Information There are only two files in there   MountPointManagerRemoteDatabase  and tracking.log

There aren't any shares for either sysvol or netlogon nor can I find the directories... just to mention,  the server is not a domain controller.
0
 
ChiefITCommented:
OHHHH, I see:

You are asying this computer is getting GP from a computer that no longer exists. All you should have to do is go to the command prompt and type GPudate /force as long as it is a member of your new DC's domain.
0
 
MightySWCommented:
A reboot would have fixed that.  Again, if run GPRESULT and you see what you are getting then the new GP has taken affect.  

Residual GP's are tough to get rid of.
0
 
MightySWCommented:
Here you go:

http://escapelogic.com/main/node/2

Hope this one helps.
0
 
Fluid_ImageryAuthor Commented:
Thanks Mighty,  we're getting there.... just so I don't screw this up...

The first step both a and b are confusing me.  Maybe you can make it a little more clear.

I'm assuming 1a is deleting HKLM\software\policies\microsoft directory... not sure what the switch /f is doing

is the line:  reg delete hklm\software\policies\microsoft /f  something I would type in the Run command?

then in 1b I'm assuming it's importing the same values from an export of a fresh install of server 03  /s being silent correct?


The rest is easy enough to follow... just wanted to be clear.

Thanks
0
 
MightySWCommented:
Just do this:

2. Issue the command to reset the rest of the GPO settings to their defaults (enter this all on one line):
secedit /configure /db reset /cfg "c:\windows\security\templates\setup security.inf" /overwrite

3. Delete the registry.pol file if it exists: (be sure to back it up first!!!!!!)
del c:\windows\system32\grouppolicy\machine\registry.pol
4. Reboot

After you reboot, check your shutdown and other settings that were tattooed.
0
 
MightySWCommented:
Unless you had IPsec and software restriction policies.

Doesn't sound like you did.  
0
 
MightySWCommented:
and BTW, these are ALL DOS commands
0
 
Fluid_ImageryAuthor Commented:
That didn't do it :(  This is getting very frustrating... what else could it be?

Still no shutdown, getting access denied on opening programs as domain admin and local admin
0
 
ChiefITCommented:
Let's reset the secure channel on the workstation to make sure computer policies are handed down from the current domain controller.

on the workstations command prompt.

netdom reset /d:your.domain.name workstationname
0
 
Fluid_ImageryAuthor Commented:
what do I need to install to enable the netdom command?  I tried installing the support tools and it didn't seem to help.
0
 
Fluid_ImageryAuthor Commented:
nevermind... I just had to close and reopen the command prompt... rebooting server now
0
 
Fluid_ImageryAuthor Commented:
OK, came back up... same issues but let me know where to go from here...
0
 
MightySWCommented:
You looked at these keys:
HKEY_LOCAL_MACHINE\Software\Policies

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies

HKEY_CURRENT_USER\Software\Policies

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
??
What is listed under them?
0
 
Fluid_ImageryAuthor Commented:
Attached are the images of regedit

There is nothing listed for HKEY_CURRENT_USER\Software\Policies
regedit1.gif
regedit2.gif
regedit3.gif
0
 
MightySWCommented:
I need this one:  
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

Can you see that the previous key has tattooed information in there?  

If someone clicks on start is there a logoff under it?
Will it auto run if you put a CD in?
Is there a  more under your start menu programs?

I need to see the other.  If the other contains something about the shutdown then we have our culprit.  I would say that you back this last registry key up and then wipe out the contents.  This will take care of a few Tattoos that you have.
0
 
Fluid_ImageryAuthor Commented:
Logoff is listed, just not shutdown... I'll have to check on the rest.
0
 
MightySWCommented:
Yes, there were 4 keys to check.

Lemme know.
0
 
Fluid_ImageryAuthor Commented:
I did it!  Thank you for the help.

There were two different issues going on..

First was the few policy entries that were in the registry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
I cleared out some of those under the Explorer folder.  Logged out and back in and I got my shutdown button.

The other issue with the "permission" issues was related to a windows component
"Internet Explorer Enhanced Security Configuration"
I uninstalled that and now we're back up and running!

Thank you for all of your help and fast responses.
0
 
MightySWCommented:
Awesome.  

Glad we could help
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 12
  • 10
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now