Re: Default Domain Controllers Policy reverts to previous settings

Giganews Newsgroups
Subject: Re: Default Domain Controllers Policy reverts to previous settings
Posted by:  Chriss3 [MVP] (
Date: Mon, 5 Feb 2007

I don't think it's a good idea to use the setting "Enforce Policy" for the
DDP and the DDCP, if Auditing is defined it the DDP it will take precedence
over all other Audit settings from any other GPO expect if a Policy is
linked more closely to the object and also have the "Enforce Policy" flag

Use RSOP (Result Set of Policies) to Troubleshoot Group Policies.  Use the
following tools. RSOP.msc (Windows Server 2003, Windows XP) and gpresult
(Windows 2000).
Search Google for gpresult and download the gpresult.exe for Windows 2000,
these tools will help you to determine how policy settings applies to your
computers and servers.

Christoffer Andersson
Executive Consultant - TrueSec
Microsoft MVP - Directory Services

---------------------------------------------------------------- - Active Directory Resources

<ke…> wrote in message
> This one is driving me off the deep end, I hope someone has an idea on
> this. Our forest is an empty root with three domain under it. In the
> domain I manage both DDP and DDCP policies are enforced. Auditng
> settings are defined in both policies, not my idea I inherited this
> config from previous administrators. What I need to accomplish is
> this.
> 1) Create new auditing policy linked to the domain. (not enforced)
> This is to allow sys-admins of member servers to audit aditional
> events as needed.
> 2) Remove all auditng policies from DDP.
> 3) Set auditing policies for the DCs to prevent event log overfill. So
> I need to set a slightly different set of auditing policies in the
> DDCP to accomplish this.
> Everything worked great in the test forest, doesnt it always. When I
> made the change in the production domain I found that the DDCP
> auditing settings would revert to their previous settings within an
> hour after change. The other DAs assure me that non of them are
> running anything to affect the DDCP. At this point I can only assume
> that it is something corupt on one of my DCs. I have determined that
> there are no morhped folders in any sysvol location.
> Domain and forest are at Windows 2000 Native mode.
> Domain caontains a mix of Windows 2000 sp4 and Windows 2003 sp1 DCs
> (Upgrade starts next year, yeah!)
> 5 DCs located in my central datacenter where I am at and anothor 90
> DCs located around the country.
> I am stumped at this point about what to look at next. And of course
> managment wants me to exhaust ALL avenues before they will let me open
> a case with Microsoft.
> Ken Zalewski


In response to

Default Domain Controllers Policy reverts to previous settings posted by ke… on Tue, 30 Jan 2007