Having inherited some rather strange Group Policies on our Windows Server 2003 server, we wished we could just go back to the default policies. We figured out how to do it but it is not recommended unless you have no choice. After trying to get some permissions corrected and finding them so messed up, we decided it was less of a problem to blow them away then continuing to deal with what we had been in the past.
Please use this with caution and a full understanding of what it will do to your domain!
To reset the Domain Controller Default Group Policy, do the following:
1. On all Domain Controllers, issue: net stop ntfrs at a commend prompt.
2. On one of the Domain Controllers, at a command prompt issue: dcgpofix and answer ‘Y’ to all prompts.
3. If you have an Exchange Server, add Exchange Enterprise Servers to permissions by going to the group policy, (gpmc.msc), computer configuration ->Windows Settings -> Security Settings -> Local Policies -> User Rights Assignments, check to ensure policy is defaulted with all permissions. To work with exchange, in the same location, locate the “Manage Audit and security log” and add “Domain Name\Exchange Enterprise Servers” to the permissions. (You could re-run the exchange setup with the “/Domainprep” switch to do the same thing.)
4. To ensure the files are not overwritten, on the same machine that you ran dcgpofix , edit the following registry key to make the authoritative file server when replicating: At a command prompt, type regedit, navigate to “HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\BackUp\Restore\Process at Startup” and modify the “burFlags” setting the value to “D4”. (D4 sets the authoritative machine, setting the other machine or machines to D2 will force them to replicate from the machine with the D4 setting.) On the other Domain Controllers, edit the same key and set the value to “D2”.
5. On all machines, issue: net start ntfrs This should start replication and all Domain Controllers should have an entry in the “Application Log” indicating success. You can manually test the replication by creating a new text file under “C:\window\SYSVOL\sysvol\Domain Name\Policies” which will be replicated to the other machines. (Replace Domain Name with the name of the domain)
6. Check the replication by going to “AD Sites And Services”, -> Sites -> Servers, under each server -> NTDS Settings, in the right pane, right-click and choose “Replicate Now”. This should be indicate that it is successful.
We had very few problems after running this process. It was just better than were we were.