Announcement

Collapse
No announcement yet.

dcgpofix Question

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • dcgpofix Question

    Hey Guys

    I have been asked to clean up an AD enviroment that is basically rubbish to begin with. In the past the admins have made an absolute mess of the Default Domain Policy to such an extent that it doesnt actually exist (I belive they have renamed it) and added a load of rubbish settings to it.

    What I would like to do is run the dcgpofix /targetomain command to restore the policy back to its default settings. The one thing I am not sure of is that they have created a seperate policy to enforce password settings that is applied on individual OU's rather than the root of the domain. By retoring the Default Domain Policy back to its original settings will this effect any of the password policies already in place? Also, if I restore the DDP and copy the password policies from the other GPO will this cause any conflicts?

    Last little bit of information is that the OU that houses all the Users & Groups have Block Inheritance set. I would like to sort out the GPO's on the root of the domain and eventually unblock inheritence.

    Thanks in advance

  • #2
    Re: dcgpofix Question

    For domain users password policy only works when it's set in the default domain policy
    For local users it can be set on a OU or where ever you like.
    However, I would install GPMC (Group Policy Management Console) and start from there.
    Btw, admins usually don't make a mess. It can be that they have less skills then you have or whatever. They have done their best to their knowledge..

    (with windows 2008 is it a bit different but I assume you use windows 2003)
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: dcgpofix Question

      Hi,

      Best thing to do IMO in a situation like that is to export all the settings of the existing DDP and then import it into a new policy.
      Then run dcgpofix to restore the default settings of DDP.
      Link the newly imported policy at a domain level and then sort out settings on your own time by either creating new policies and linking them at the ou level or getting rid of unnecessary settings altogether.

      That way you won't loose any functionality.

      Cheers
      Caesar's cipher - 3

      ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

      SFX JNRS FC U6 MNGR

      Comment

      Working...
      X