Lessons Learned

This scenario is exactly why you shoudl never edit any "Default" GP Objects in your network. There's no real "undo" function if something goes horribly awry.

When you get to a point where you absolutely cannot work around the issue, you can use a tool called "dcgopfix" to reset the Default Domain policy and the Default Domain Controllers policy, but the tool does not necessarily get you to a point where you really want to be. MS has an article, KB833783, that talks about the issues related to running dcgpofix. The bottom line is that dcgopfix resets the Default Domain policy and the Default Domain Controllers policy to the state they were before the server was promoted to a domain controller. In the world of SBS, knowing this is especially crucial as setting up AD on the SBS box is one of the first steps done in the server setup process. There are a number of SBS-specific customizations that are performed after the SBS server becomes a domain controller that this tool cannot replicate.

Unfortunately, the discussions about this I've seen this week are not unique or rare. I've encountered a number of scenarios where otherwise capable consultants have instructed others to make changes to the default GPOs and not worry because they've got the failsafe dcgpofix tool to bail them out if things don't work as expected. But it doesn't work that way.

We've got to get back in the habit of recommending our clients test changes to GPO settings before putting them into a production environment. You just can't do that when changing the Default Domain and Default Domain Controller GPOs.

Now, as promised earlier, links to resources on learning about Group Policy.

Microsoft Webcast on Group Policy:
http://www.microsoft.com/seminar/events/series/grouppolicy.mspx

Jeremy Moscowitz, GP author and instructor:
http://www.moskowitz-inc.com/

RealTime publishers book on GP:
http://cc.realtimepublishers.com/publicationhome.asp?pid=25