Replaced default "Domain Group Policy" - potential problem?

[Jesse]

I recently realized that the Domain Group Policy is not the original
one that was created with the domain. The original, the one with the
31B... UID, appears to have been copied and then mostly cleared out for
some reason. The original was renamed, and I always suspected
something was up with it as i was never able to delete it. I'm
guessing I can go to the sysvol folder and give myself permissions to
delete it, but I am unsure if that will cause any other issues.

My questions is, will deleting this policy, which is disabled now,
cause any issues in the future? I know I can recreate just that policy
once I move to 2003 Domain Controllers, and I have backups of the
policies, but I'd rather not delete it if it will cause problems.

I would also like to know how the policies in the Domain Group Policy
are active, even there is nothing defined in them. As in, the Domain
Group Policy has lots of Security Settings and whatnot that show up as
configured under settings, but there is really nothing configured.
Does the domain just make these security settings active for the GPO
that's named "Domain Group Policy" or is there something else that is
needed to be done to make this the official Domain Group Policy and
have these settings take effect. I guess there could also be a problem
if this policy was renamed, or not.

Thanks

 

[Jmnts]

Hi

Check :

restoration of the Default Domain and Default Domain Controllers policy
files, in case of accidental deletion
http://www.microsoft.com/downloads/...ae-b7dd-4bb5-ab2a-976d6873129d&displaylang=en

Exchange Server permissions are removed by the RecreateDefPol.exe tool in
Windows 2000 Server
http://support.microsoft.com/default.aspx?scid=kb;en-us;887442

How to restore deleted GPO policy files to Active Directory on a computer
that is running Windows 2000 Server
http://support.microsoft.com/?kbid=842252

 

[Jesse]

Thanks, but I already knew most of that. The jist of the question is
really if it is necessary to use 'the original' (with the original UID)
domain group policy, or will this copy that was made suffice. The
other stuff was just me being curious.

 

[Jmnts]

Thanks, but I already knew most of that. The jist of the question is

really if it is necessary to use 'the original' (with the original UID)
domain group policy, or will this copy that was made suffice. The
other stuff was just me being curious.

Yes, you should use the default GUID, and you should use the default name,
and permissions, so that you can use the MS tools to replace the default
settings.
This policy has some important security settings that applies to all
computers in the domain and you shouldn't mess with that, what you can do is
to configure another one with a higher priority and change what doesn't
apply in tour scenario.

Yes its possible to delete the policy (I don't see any reason for doing
that).


The other important Gp is the Default Domain Controllers Policy which
controls the behavior of the DCs relating to the network. (Contains very
important security settings, please don't mess with that one too).

I hop it helps

 

[Mark Heitbrink [MVP]]

Hi,

Thanks, but I already knew most of that. The jist of the question is
really if it is necessary to use 'the original' (with the original UID)
domain group policy, or will this copy that was made suffice. The
other stuff was just me being curious.

You should with the original GUID. It´s hardcoded and in every AD
the same. You can work with self created ones, but then you are
not aware of the strange ideas a software developer can have if
his software will try to edit it and he uses the MS Guids ...

Mark

 

[Jesse]

Hi,


You should with the original GUID. It´s hardcoded and in every AD
the same. You can work with self created ones, but then you are
not aware of the strange ideas a software developer can have if
his software will try to edit it and he uses the MS Guids ...

Mark

Good point Mark, thanks for pointing that out. I guess I'll wait until
I migrate to 2003 domain controllers so I can restore the Domain Group
Policy without touching the domain controllers policy.

Jesse

 

[Mark Heitbrink [MVP]]

Hi,

Good point Mark, thanks for pointing that out. I guess I'll wait until
I migrate to 2003 domain controllers so I can restore the Domain Group
Policy without touching the domain controllers policy.

Do it right now ...
- use GPMC on a XP Client and copy the existing ones
- link them to the right containers (AD and DCs)
- move them up, so that they have a higher priority
and run after the DefPols
- use recreatedefpol to restore the original

What happens:
- The "clean" DefPols will run, but right after them
your copies will, so the effectiv settings comes out of
your copies
- Everything stays like it is (should... ;-)

Then you can start to cleanup your settings in your copies

Mark

 

[Jesse]

Hi,


Do it right now ...
- use GPMC on a XP Client and copy the existing ones
- link them to the right containers (AD and DCs)
- move them up, so that they have a higher priority
and run after the DefPols
- use recreatedefpol to restore the original

What happens:
- The "clean" DefPols will run, but right after them
your copies will, so the effectiv settings comes out of
your copies
- Everything stays like it is (should... ;-)

Then you can start to cleanup your settings in your copies

Great idea, thanks Mark!

 

[Mark Heitbrink [MVP]]

Great idea, thanks Mark!

Your welcome. Have fun!

Mark