If you are having problems with the default GPOs that are created on
every new domain, this tool might be helpful. The two default GPOs,
Default Domain Policy and Default Domain Controller Policy, are
essential for configuring account policies, security settings, and
domain controller user rights in the enterprise. If these GPOs get
corrupt or misconfigured, they can be set back to the default settings
by using the Dcgpofix tool.
Dcgpofix is an easy-to-use default tool for Windows Server 2008 that
reports the results of the GPOs that were recovered. You can restore
the Default Domain Policy or the Default Domain Controller Policy
individually, or you can restore both to the original settings.
Warning
If you have made any changes to these two GPOs after the initial
installation of the domain, the changes that you made will be lost.
One potential concern with running this tool is the version of the
Active Directory schema. Microsoft Windows Server 2003 and Windows
Server 2008 domains have a different schema, and these versions are
meticulously watched by the Active Directory when anything that
interfaces with Active Directory is not working with the correct schema
version. By specifying the /ignoreschema parameter, you can enable
Dcgpofix.exe to work with different versions of Active Directory.
However, default policy objects might not be restored to their original
state. To ensure compatibility, use the version of Dcgpofix.exe that is
installed with the current operating system and service pack.
The tool syntax is very simple and straightforward:
dcgpofix [/ignoreschema][/target: {domain | dc | both}]
The parameters for the command are as follows:
/ignoreschema
This is an optional switch that ignores the Active Directory schema version number:
/target: {domain | dc | both}
This is an optional switch that specifies the target domain, domain
controller, or both. If you do not specify /target, dcgpofix uses both
by default.
You can find Dcgpofix.exe in the C:\Windows\System32 folder of a
domain controller running Windows Server 2008. Before the tool runs, it
checks the schema version to ensure compatibility of the operating
system with the GPOs that you want to replace. You must be a domain
administrator or an enterprise administrator to use this tool.
The following extension settings are maintained in a default Group
Policy object: Remote Installation Services (RIS), security settings,
and Encrypting File System (EFS).
The following extension settings are not maintained or restored in a
default Group Policy object: software installation, Internet Explorer
maintenance, scripts, folder redirection, and administrative templates.
The
following changes are not maintained or restored in a default Group
Policy object: Security settings made by Microsoft Exchange 2000 Setup,
security settings migrated to default Group Policy during an upgrade
from Microsoft Windows NT to Windows 2000, and policy object changes
made through Systems Management Server (SMS).
By far one of the most complex and sophisticated mechanisms in
Active Directory is a GPO. Possibly the only thing more complex than a
GPO is the logging associated with the GPOs. GPMonitor is designed to
help centralize reports created from the GPOs on a computer.
GPMonitor is part of the Microsoft Windows Server 2003 Resource Kit Tools and can be downloaded free from Microsoft at http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96eeb18c4790cffd&displaylang=en.
GPMonitor sends information back to the centralized share when a
refresh or a forced update to a GPO occurs on the target computer. When
the information is sent back to the centralized share, it is stored in
files that can then be queried. The querying occurs with the GPMonitor
interface.
GPMonitor works by running on the computers that will store their
information in the centralized share. The configuration of the
GPMonitor service and settings is controlled by a GPO. When you install
the GPMonitor service, you are provided with a GPMonitor.adm template.
This template is imported into a GPO at the Active Directory level to
target computers in the domain. The GPMonitor.adm template configures
the following settings:
-
UNC path to centralized share
. This is the server and share where all of the GPO
information is stored. You can have different paths for different types
of computers on the network, or they can all share the same shared
folder.
-
Refresh interval
. This indicates how often the GPMonitor service will
update the information stored in the share. By default, this is set to
every eight refreshes. You can adjust the frequency down to every
refresh if the server holding the share can store all of the
information from all members.
