Schema update resets group policy

[bob]

We recently ran the schema updates to add 2003 dc's to our
w2k/exchange2k domain. This appeared to work without error and we've a
few working 2003 dc's on the domain.

Not so long after that we've started seeing some odd behavoir in group
poicy. The password policy had been reset to default, which allowed
blank passwords - none of the admins have reset this.

Also, whilst adding another 2003 dc dcpromo failed with access denied -
turned out the admin account wasnt granted right to delegate or
something or other (sorry, cant remember exactly) - but basically its
almost as though group policy is being tampered with or reset to
defaults or something.

Is there a tool that we can run to tell us what has been changed in the
last x days or what items do not conform to defaults. Either that or
i'll run up another dc with a new fresh domain to see what the defaults
are so I can check against ours.

 

[Guest]

Well it hasn't been reset to default that is for sure. Default password
policy does not permit for no password. It sounds like there was / is an FRS
replication issue in which the GPOs have not replicated around properly.

There is no tool to tell what GPOs have been changed in the past... You can
configure auditing to see who changed an item but not what they changed in
it. Also, auditing will not go back in time, what's done is done you can
only catch what happens in the future.

You may want to consider running dcgpofix on the 2003 DC. This will allow
you to reset the Default Domain and Default Domain Controllers policies back
to defaults. If you choose to do this and have Exchange in the environment
ensure that you add domain\Exchange Enterprise Servers to the Manage Auditing
and Security User right in the Default Domain Controllers policy OR re run
the exchange domainprep as exchange will fail without this right.

Brian Delaney