The Dcgpofix tool does not restore security settings in the Default Domain Controller Policy to their original state

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

The documentation for the Dcgpofix.exe tool incorrectly indicates that the Dcgpofix tool will restore security settings in the Default Domain Controller Policy to the same state that they were in immediately after Dcpromo successfully completed. This is not the case.

It is best to use the Dcgpofix tool only in disaster recovery scenarios. The Dcpromo operation modifies the security of the domain in an incremental manner, based on the existing security settings on that server. Therefore, after you run Dcpromo, the final set of security settings in the Default Domain Controller Policy depends on both the Dcpromo operation and the security state of the system that existed before you ran Dcpromo. Before you run Dcpromo, the security state of the system can be modified by a number of mechanisms. For example, when you install some server applications, changes may be made to user rights that are granted to local user accounts, such as the SUPPORT_388945a0 account.
The Dcgpofix tool cannot know what state the security settings were in before you run Dcpromo. Therefore, the Dcgpofix tool cannot return the security settings to precisely the original state. Instead, the Dcgpofix tool recreates the two default Group Policy objects (GPOs) and creates the settings based on the operations that are performed only during Dcpromo.

If you have a new installation of Microsoft Windows Server 2003 and no security changes are made to the operating system before you run Dcpromo, the recreated Default Domain Controller Policy that is created by Dcgpofix will be almost the same as the Default Domain Controller Policy just after you run Dcpromo. However, there will be some differences in the settings in the Default Domain Controller Policy in this case.
For general backup and restore of the Default Domain Policy and Default Domain Controller Policy, and also for other GPOs, Microsoft recommends that you use the Group Policy Management Console (GPMC) to create regular backups of these GPOs. You can then use GPMC in conjunction with these backups to restore the exact security settings that are contained in these GPOs.

For more information about the GPMC, visit the following Microsoft Web site:If you are in a disaster recovery scenario and you do not have any backed up versions of the Default Domain Policy or the Default Domain Controller Policy, you may consider using the Dcgpofix tool. If you use the Dcgpofix tool, Microsoft recommends that as soon as you run it, you review the security settings in these GPOs and manually adjust the security settings to suit your requirements. A fix is not scheduled to be released because Microsoft recommends you use GPMC to back up and restore all GPOs in your environment. The Dcgpofix tool is a disaster-recovery tool that will restore your environment to a functional state only. It is best not to use it as a replacement for a backup strategy using GPMC. It is best to use the Dcgpofix tool only when a GPO back up for the Default Domain Policy and Default Domain Controller Policy does not exist.
The following table lists differences in security settings in the Default Domain Controller Policy after you run the Dcgpofix tool and the settings on a new installation of Windows Server 2003 after you run Dcpromo. Microsoft recommends that you adjust these security settings to match the requirements in your environment after you run the Dcgpofix tool.

Setting in Default Domain Controller PolicyValue after running DCPromo on cleanly installed Windows Server 2003 systemValue after running DCGPOFIX
Audit Settings
Audit Account ManagementSuccessNo Auditing
Audit Directory Service AccessSuccessNo Auditing
Audit Policy ChangeSuccessNo Auditing
Audit System EventsSuccessNo Auditing
User Rights
Create Global ObjectsNot definedSERVICE, Administrators
Deny access to computer from networkSUPPORT_388945a0(Empty)
Deny logon locallySUPPORT_388945a0(Empty)
Impersonate a client after authenticationNot definedSERVICE, Administrators
Load and unload device driversAdministrators, Print OperatorsAdministrators
Log on as a batch jobLOCAL SERVICE, SUPPORT_388945a0(Empty)
Log on as a serviceNETWORK SERVICE(Empty)
Shut down the systemAdministrators, Backup Operators, Server Operators, Print OperatorsAccount Operators, Administrators, Backup Operators, Server Operators, Print Operators

The following settings will change after you run the Dcgpofix tool:
  • AuditAccountManage
  • AuditDSAccess
  • AuditPolicyChange
  • AuditSystemEvents
  • SeCreateGlobalPrivilege
  • SeImpersonatePrivilege
  • SeLoadDriverPrivilege
  • SeShutdownPrivilege
Based on configuration options, the following settings may also change the following:
  • SeBatchLogonRight (only LOCAL SERVICE, not the SUPPORT_388945a0 account)
  • SeServiceLogonRight

आलेख ID: 833783 - पिछली समीक्षा: 03/16/2007 03:56:07 - संशोधन: 1.3

Microsoft Windows Server 2003, Standard Edition (32-bit x86), Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

  • kbwinservds kbwinservperf kbmgmtservices kbinfo KB833783