Default Domain Policy is missing registry.XML in User Preferences

[Mike Leone]

Decades ago, we apparently didn't follow good practices, and my Default Domain Policy has lots and lots of entries in it. (I know, I know, but I've never been able to get that changed. Maybe now ..)

Anyway, we had IE Zones set up using GP Preferences. Now, since IE is going the way of the dodo, we're trying to disable IE. So I figured I would make a GPO that enabled the new setting to disable IE entirely. And while I was at it, I would try and remove those IE Zones reg entries we had set.

But when I look at the default policy, it tells me that it could not find the Registry.XML file. And it's true, there's no file there.

SO: how do I best resolve this? Do I just make a new registry entry, like set my own value somewhere in the hive, so that the registry.xml recreates?

If so, that will make this error go away (I hope), 

But how do I tell it to remove the entries for the IE Zones it had set (and do I need to)? I did save a copy of the policy, and I do see what those entries are. Should I just make similar entries in my new "IE Disable" GPO, but set the reg to DELETE, instead of UPDATE?

--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

This space reserved for future witticisms ...

[Micheal Espinola]

If your immediate concern or need is to just make that error go away, I believe you can manually create an empty file in its place.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bh041kbNcRM6YrspG_Jbo29C_JyWfo9Z_ZEmQsmav2fwg%40mail.gmail.com.

--

Espi

[Orlebeck, Geoffrey]

If the ultimate goal is to cleanup and bring the default policy back to baseline, you can use the dcgpofix command. I’ve had to do it at about a half-dozen places over the years. My general workflow is:

 

1. Create backup copy of the policy before any work is done (this is your break-glass/revert option if something goes sideways)
2. Migrate any custom policies that need to persist from the current “Default Domain Policy” GPO into its own custom policy
3. Run dcgpofix command and verify default domain policy is good
   1. If necessary, add back custom settings that should be managed there (account policies, password policies, etc.).
4. Force gpupdate on a machine and verify it doesn’t explode
5. After a couple days I’ll backup/export the policy backup from step 1 and then delete it.

 

Command reference here:  https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dcgpofix. You can find articles online as well.

 

Thanks,

Geoff

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAAfzEuwzNp%2BN0nbVO3kZPZ6mWgZAj5b2G6KuzMzei8E8gL-ofw%40mail.gmail.com.

Confidentiality Notice: This is a transmission from Montage Health. This message and any attached documents may be confidential and contain information protected by state and federal medical privacy statutes. They are intended only for the use of the addressee. If you are not the intended recipient, any disclosure, copying, or distribution of this information is strictly prohibited. If you received this transmission in error, please accept our apologies and notify the sender. Thank you.