Inherited dirty AD DS; need to clean the Default GPOs; dcgpofix brings back faulty policies

Usual story... I've inherited a mess of an AD DS environment. Some monkey decided at some point that it'd be a good idea to modify the Default Domain Policy and Default Domain Controller Policy, rather than create new policies to override the defaults. The default policies are a mess. They're full of wayward permissions (actual user accounts with Logon as Batch Job on the domain controllers!).

I discovered dcgpofix, and it seemed like the one. I took these steps to try and clean-up these policies:

1. Backed up both Default Domain and Default Domain Controller policies using the 'Backup' option in GPMC [just in case some thing I haven't discovered yet breaks because these dumb policies are gone]
2. Ran dcgpofix - seemingly nothing happened. The policies looked untouched of their wayward ways, but the policies' Date Modified matched the time I ran the tool
3. Since there was no luck, I figure I would just delete all settings from the policies using the Policy Editor...
4. Ran dcgpofix again...
   This is where it gets weird: the wayward settings returned! Despite the documented intent of dcgpofix to return the 'well known GUID' policies to defaults, they were returned but with the wayward settings coming back

Now, I can only assume this might be intended behaviour... but this isn't what's implied by this documentation nor this documentation. For the record, the Default Domain Policy seemed to reset mostly OK; apparently someone had actually renamed it, and created another by the same name. But because its based on GUID, it overwrote and reverted the custom name. I'm not certain the Default Domain policy is back to being as if its a new domain, but it seems clear of the cruft that used to be in it. The Default Domain Controller Policy, however, is still a mess:

What I guess is happening, is that these security policies are stored somewhere in one of the AD DS directory partitions; probably the 'configuration' one and are being considered 'default' and why the tool is reverting to them.

Questions:

• Is this the expected behaviour of dcgpofix?
• If so, where is it pulling this information from and can it be cleaned out?
• Has anyone cleaned up modified Default Policies before, and do they have any advice/recommendations?

EDIT 2018-02-15 1205 GMT: So! I tried this on a domain controller that we'd DcPromo'd after unlinking the wayward Default Domain Controller policy. This means none of that cruft will be tattooed to the DC. As suspected, the policy now looks a lot more like it should!

I'll still compare this to a fresh Server 2016 AD DS environment to ensure there's nothing missing that should be there; once I've done that I'll add an answer.