Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Recovery from improper GPO management
Recovery from improper GPO management [message #159170] Sat, 25 July 2009 11:11 Go to next message
tld  is currently offline tld
Messages: 2
Registered: July 2009
Junior Member
Hi Everyone,

I have an inherited an Active Domain on Windows 2003 where all changes that
have been done to the GPO's have been done to both the Default Domain Policy
and the Default Domain Controller Policy. Unforutunately some of hte changes
that were done are causing some additional probems due to being pushed out to
all the machines in the domain. I want to redo the policies where I am only
linked to the default policy for the different OU's.

What would be the best way to proceed to make the domain to be setup
properly and get the issues resolved.

thanks

tld
Re: Recovery from improper GPO management [message #159171 is a reply to message #159170] Sat, 25 July 2009 14:35 Go to previous messageGo to next message
Marcin  is currently offline Marcin  United States
Messages: 273
Registered: July 2009
Senior Member
Inventory all settings that are applied via default GPOs. Implement these
applicable to specific OUs via GPOs linked to them. Verify they apply via
RSOP/GPResult. Remove them from the default GPOs. Use backup/restore
throughout this process as a potential fallback...

hth
Marcin

"tld" <tld@discussions.microsoft.com> wrote in message
news:7CDABE54-02A8-4CF2-BE82-39F09F24BEF5@microsoft.com...
> Hi Everyone,
>
> I have an inherited an Active Domain on Windows 2003 where all changes
> that
> have been done to the GPO's have been done to both the Default Domain
> Policy
> and the Default Domain Controller Policy. Unforutunately some of hte
> changes
> that were done are causing some additional probems due to being pushed out
> to
> all the machines in the domain. I want to redo the policies where I am
> only
> linked to the default policy for the different OU's.
>
> What would be the best way to proceed to make the domain to be setup
> properly and get the issues resolved.
>
> thanks
>
> tld
Re: Recovery from improper GPO management [message #159172 is a reply to message #159171] Sat, 25 July 2009 15:21 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Marcin" <marcin@community.nospam> wrote in message
news:Oz1p4dWDKHA.1540@TK2MSFTNGP02.phx.gbl...
> Inventory all settings that are applied via default GPOs. Implement these
> applicable to specific OUs via GPOs linked to them. Verify they apply via
> RSOP/GPResult. Remove them from the default GPOs. Use backup/restore
> throughout this process as a potential fallback...
>
> hth
> Marcin

Hi Marcin,

TLD can also use the dcgpofix tool to reset both policies to their defaults
after an inventory of settings is created. He create a report of current
settings with GPMC.

To reset the policies:

To reset the Domain GPO, type
dcgpofix /target:Domain

To reset the Default DC GPO, type
dcgpofix /target:DC

To reset both the Domain and Default DC GPOs, type
dcgpofix /target:both

More info for TLD to read up on:

Create the default DNS application directory partitions: Domain ...Jan 21,
2005 ... Click Create Default Application Directory Partitions. ... Create a
single application directory partition that stores DNS zone data and
replicates that data to all DNS servers in the domain.
DomainDnsZones.DnsDomainName ...
http://technet.microsoft.com/en-us/library/cc739505(WS.10).aspx

DCGPOFix - Petri.co.il forums by Daniel Petri5 posts - 2 authors - Last
post: Feb 15, 2007
DcGPOFix [/ignoreschema] [/Target: Domain | DC | Both]. ... Please see this
link for info regarding the DCGPOFIX command ...
www.petri.co.il/forums/showthread.php?t=13591

The Dcgpofix tool does not restore security settings in the ...Explains that
the Dcgpofix tool does not restore security settings in the Default Domain
Controller Policy to the same state that they were in after ...
http://support.microsoft.com/kb/833783

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum to benefit from collaboration
among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org
http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Re: Recovery from improper GPO management [message #159176 is a reply to message #159172] Sat, 25 July 2009 16:52 Go to previous messageGo to next message
Marcin  is currently offline Marcin  United States
Messages: 273
Registered: July 2009
Senior Member
Ace,
I'm typically reluctant to recommend dcgpofix due to its potentially
destructive nature - unless it is intended as "the last resort" solution..

best regards,
Marcin

"Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:%23xIms3WDKHA.5092@TK2MSFTNGP03.phx.gbl...
> "Marcin" <marcin@community.nospam> wrote in message
> news:Oz1p4dWDKHA.1540@TK2MSFTNGP02.phx.gbl...
>> Inventory all settings that are applied via default GPOs. Implement these
>> applicable to specific OUs via GPOs linked to them. Verify they apply via
>> RSOP/GPResult. Remove them from the default GPOs. Use backup/restore
>> throughout this process as a potential fallback...
>>
>> hth
>> Marcin
>
> Hi Marcin,
>
> TLD can also use the dcgpofix tool to reset both policies to their
> defaults after an inventory of settings is created. He create a report of
> current settings with GPMC.
>
> To reset the policies:
>
> To reset the Domain GPO, type
> dcgpofix /target:Domain
>
> To reset the Default DC GPO, type
> dcgpofix /target:DC
>
> To reset both the Domain and Default DC GPOs, type
> dcgpofix /target:both
>
> More info for TLD to read up on:
>
> Create the default DNS application directory partitions: Domain ...Jan 21,
> 2005 ... Click Create Default Application Directory Partitions. ... Create
> a single application directory partition that stores DNS zone data and
> replicates that data to all DNS servers in the domain.
> DomainDnsZones.DnsDomainName ...
> http://technet.microsoft.com/en-us/library/cc739505(WS.10).aspx
>
> DCGPOFix - Petri.co.il forums by Daniel Petri5 posts - 2 authors - Last
> post: Feb 15, 2007
> DcGPOFix [/ignoreschema] [/Target: Domain | DC | Both]. ... Please see
> this link for info regarding the DCGPOFIX command ...
> www.petri.co.il/forums/showthread.php?t=13591
>
> The Dcgpofix tool does not restore security settings in the ...Explains
> that the Dcgpofix tool does not restore security settings in the Default
> Domain Controller Policy to the same state that they were in after ...
> http://support.microsoft.com/kb/833783
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum to benefit from collaboration
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
> Microsoft Certified Trainer
> aceman@mvps.RemoveThisPart.org
> http://twitter.com/acefekay
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
Re: Recovery from improper GPO management [message #159178 is a reply to message #159176] Sat, 25 July 2009 19:15 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Marcin" <marcin@community.nospam> wrote in message
news:OmdaJqXDKHA.4608@TK2MSFTNGP02.phx.gbl...
> Ace,
> I'm typically reluctant to recommend dcgpofix due to its potentially
> destructive nature - unless it is intended as "the last resort" solution..

I know what you mean and am aware of that. I should have posted the warnings
I found on it too, so the OP can make an informed decision if he/she wants
to use it. But if there are many changes in the default policies, it may be
a bit of a challenge to reset them manually. Of course, backing up the
current GPOs using the GPMC is highly recommended before making any changes.

Error message when you use the Dcgpofix.exe command-line tool in a ...Feb
21, 2007 ... Describes an issue that occurs because the schema version of
the domain does not match the schema version that the tool expects.
http://support.microsoft.com/kb/932445

How safe is dcgpofix.exe?3 posts - Last post: Dec 26, 2006
I know about the dcgpofix tool, but I have never used it. ... The main
problem with it is that dcgpofix will not restore security ...
http://www.itnewsgroups.net/group/microsoft.public.windows.s erver.general/topic29535.aspx

Error message when you use the Dcgpofix.exe command-line tool in a ...Feb
21, 2007 ... Describes an issue that occurs because the schema version of
the domain does not match the schema version that the tool expects.
http://support.microsoft.com/kb/932445

Ace
Re: Recovery from improper GPO management [message #159199 is a reply to message #159176] Mon, 27 July 2009 03:42 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Hi
destructive nature???!!!

That's a strong word don't you think? I used some times and never destructed
anything :D
--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services
"Marcin" <marcin@community.nospam> wrote in message
news:OmdaJqXDKHA.4608@TK2MSFTNGP02.phx.gbl...
> Ace,
> I'm typically reluctant to recommend dcgpofix due to its potentially
> destructive nature - unless it is intended as "the last resort" solution..
>
> best regards,
> Marcin
>
> "Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
> news:%23xIms3WDKHA.5092@TK2MSFTNGP03.phx.gbl...
>> "Marcin" <marcin@community.nospam> wrote in message
>> news:Oz1p4dWDKHA.1540@TK2MSFTNGP02.phx.gbl...
>>> Inventory all settings that are applied via default GPOs. Implement
>>> these applicable to specific OUs via GPOs linked to them. Verify they
>>> apply via RSOP/GPResult. Remove them from the default GPOs. Use
>>> backup/restore throughout this process as a potential fallback...
>>>
>>> hth
>>> Marcin
>>
>> Hi Marcin,
>>
>> TLD can also use the dcgpofix tool to reset both policies to their
>> defaults after an inventory of settings is created. He create a report of
>> current settings with GPMC.
>>
>> To reset the policies:
>>
>> To reset the Domain GPO, type
>> dcgpofix /target:Domain
>>
>> To reset the Default DC GPO, type
>> dcgpofix /target:DC
>>
>> To reset both the Domain and Default DC GPOs, type
>> dcgpofix /target:both
>>
>> More info for TLD to read up on:
>>
>> Create the default DNS application directory partitions: Domain ...Jan
>> 21, 2005 ... Click Create Default Application Directory Partitions. ...
>> Create a single application directory partition that stores DNS zone data
>> and replicates that data to all DNS servers in the domain.
>> DomainDnsZones.DnsDomainName ...
>> http://technet.microsoft.com/en-us/library/cc739505(WS.10).aspx
>>
>> DCGPOFix - Petri.co.il forums by Daniel Petri5 posts - 2 authors - Last
>> post: Feb 15, 2007
>> DcGPOFix [/ignoreschema] [/Target: Domain | DC | Both]. ... Please see
>> this link for info regarding the DCGPOFIX command ...
>> www.petri.co.il/forums/showthread.php?t=13591
>>
>> The Dcgpofix tool does not restore security settings in the ...Explains
>> that the Dcgpofix tool does not restore security settings in the Default
>> Domain Controller Policy to the same state that they were in after ...
>> http://support.microsoft.com/kb/833783
>>
>> --
>> Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Please reply back to the newsgroup or forum to benefit from collaboration
>> among responding engineers, and to help others benefit from your
>> resolution.
>>
>> Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
>> Microsoft Certified Trainer
>> aceman@mvps.RemoveThisPart.org
>> http://twitter.com/acefekay
>>
>> For urgent issues, you may want to contact Microsoft PSS directly. Please
>> check http://support.microsoft.com for regional support phone numbers.
>>
>
>
Re: Recovery from improper GPO management [message #159212 is a reply to message #159170] Mon, 27 July 2009 06:24 Go to previous message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
dcgpofix will reset the gpo's back to the default values as long as only
2003 and 2008 dc's.

There is a good article on troubleshooting at:
http://technet.microsoft.com/en-us/magazine/2007.02.troubles hooting.aspx

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"tld" <tld@discussions.microsoft.com> wrote in message
news:7CDABE54-02A8-4CF2-BE82-39F09F24BEF5@microsoft.com...
> Hi Everyone,
>
> I have an inherited an Active Domain on Windows 2003 where all changes
> that
> have been done to the GPO's have been done to both the Default Domain
> Policy
> and the Default Domain Controller Policy. Unforutunately some of hte
> changes
> that were done are causing some additional probems due to being pushed out
> to
> all the machines in the domain. I want to redo the policies where I am
> only
> linked to the default policy for the different OU's.
>
> What would be the best way to proceed to make the domain to be setup
> properly and get the issues resolved.
>
> thanks
>
> tld
Previous Topic:How to disable Internet connection from certain users or computers
Next Topic:Cannot join Win2k3r2 server to domain
Goto Forum:
  


Current Time: Sat Jan 20 08:29:15 MST 2018

Total time taken to generate the page: 0.04817 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software