Announcement

Collapse
No announcement yet.

Recreate Default Domain Policy

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Recreate Default Domain Policy

    Hi there,

    We are having some issues which i believe may be related to a GPO. Upon opeing the Default Domain Policy, there are some setting which i cannot find (i.e. Extra Registry Settings). Not sure how they got there, as it was setup by a previous IT Manager.

    I was wondering if it was possible to manually recreate the Default Domain Policy and Default Domain Controllers Policy?? I found some pages on the net referring to dcgpofix, but they refer to this if the GPO is corrupt, which i dont think it is.

    If there is another way to rebuild these GPOs, please advise.

    Thanks in advance,
    Richard.

  • #2
    Re: Recreate Default Domain Policy

    AFAIK the only other way is to find a good "default domain policy" GPO and document it, then apply missing settings to your environment.

    Yet another reason, IMHO, why you should never change the default policies but should create new ones
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Recreate Default Domain Policy

      gcgpofix is not just for corruption, it just reverts your domain and domain controllers policy back to default.

      However, as I am sure you have read, this is a last resort and must be used with great care. If yo are going to use it make sure you back up the settings in their current state so you can easily revert back to them.

      Imo it will be a lot less painful to open up the GPMC and go through the expanded settings list and revert them back as and where required.

      Ste
      Steven Roberts
      IT Mercenary

      MCITP:EA|MCTS|MCSE 2003 (Messaging and Security)|MCSA 2003 (Messaging and Security)|MCP|Prince2 Practitioner

      Don't forget to click on the Yin-Yang icon to leave reputation points if you think my advice has been worthwhile!

      Comment


      • #4
        Re: Recreate Default Domain Policy

        I was hoping not to go down that route...

        Is it possible to delete the 'Default Domain Policy', create a new policy and call it 'Default Domain Policy'?? Or is there something in the policy that is not recreated in a new policy??

        Thanks

        Comment


        • #5
          Re: Recreate Default Domain Policy

          Default Policies cannot (AFAIK) be deleted
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: Recreate Default Domain Policy

            You would think it would be as easy as recreating a new blank GPO and then linking it by changing the GUID in the SYSVOL folder, but it is not as easy as this.

            You would then need to do a bit of fiddling in ADSI Edit to create the GUID, this is what the little tool that we discussed previously does.

            I am not sure of the manual process of doing this and I would have to Google it.

            As far as I can see your options are as follows ;

            1. Backup AD and run dcgpofix.
            2. Backup AD and run through the manual creation and link of new template.
            3. (and this is my preference) Expand all selections in GPMC and remove/change and bogus entries, this would stand you the best chance of longevity.

            You may run into security problems recreating it, so even if all looks ok in the short term, you may run into some long term issues.

            See http://support.microsoft.com/?KBID=833783 for details.

            Bite the bullet, expand and change

            Ste
            Steven Roberts
            IT Mercenary

            MCITP:EA|MCTS|MCSE 2003 (Messaging and Security)|MCSA 2003 (Messaging and Security)|MCP|Prince2 Practitioner

            Don't forget to click on the Yin-Yang icon to leave reputation points if you think my advice has been worthwhile!

            Comment


            • #7
              Re: Recreate Default Domain Policy

              The GP Editor displays settings based upon the the policy templates it has access to.

              Consider this scenario:

              1. I create a GPO and set a number of policy settings using the GP Editor on an XP SP2 workstation. For the sake of example, lets say the XP SP2 ADM templates supply a total of 1000 settings within the GP Editor.

              2. I then go and edit the same policy using a W2K3 Server GP Editor. The older ADM policy templates supplied with W2K3 Server only offer (again for the sake of example) 800 settings within the GPO Editor.

              If I set any of the 200 extra policy settings offered by the XP SP2 templates, they will show up as Extra Registry Settings in the GPMC on the W2K3 Server.

              You may be able to gain access to the Extra Registry Settings by making sure that the system you're using to edit the policy has the most up to date policy templates.

              One point to make clear, the existence of "Extra Registry Settings" in the GPMC in no way indicates that the policy is corrupt or needs to be re-created. It just means you're missing, or using outdated policy templates.

              Recommend you read-
              http://support.microsoft.com/kb/816662

              Comment


              • #8
                Re: Recreate Default Domain Policy

                Thanks for the advice. Greatly appreciated.

                Comment

                Working...
                X