DCGPOFIX - to be used - only in the last resort.

I have been working quite allot with Group Policy objects and have recently been involved in troubleshooting them. As a last resort if all else fails, and your Default Domain Policy and Default Domain Controller Policy is beyond repair,or somehow has been deleted. Then you can use a utility which is shipped out with Windows 2003 which is DCGPOFIX.EXE. This utility comes with several prerequisites

  • You must be either logged on as the Domain Administrator or the Enterprise Administrator to run this utility.
  • Located in the Windows\system32 directory
  • To run it against the Domain the syntax is dcgpofix /target:Domain
  • To run it against the Domain Controller the syntax is

dcgpofix /target:dc

Please note however this will restore the Default Group Policies to how they were just after the Active Directory was installed.

By using the following switch

  • /Ignoreschema   - this enables you to use Dcgpofix.exe with different versions of the Active Directory. However, compatibility issues may arise doing this.

 

However please take note of the following kbarticle when using this Utility https://support.Microsoft.com/kb/833783/en-us. This highlights that the DCGPOFIX.EXE utility may not be able to return the security settings to precisely the original state. Therefore further remedial work may have to be undertaken. It is therefore recommended that you should use the GMPC to make regular backups of your Policies, to avoid having to use this utility.