Did you find this useful?
Socialize it today.


Restoring the Default Domain GPOs

Friday, October 28, 2011

If you have reached this article, you probably have made changes to the Default Domain and/or Default Domain Controller group policy object and know you want to restore them back to their original settings.  If you would have followed best practices, rather than modifying these GPOs,  you would have created new custom GPOs and linked them to the relevant containers.   In any case, if you've already modified these GPOs and want to restore the default content, follow these steps:

Log on as a domain administrator to a domain controller (DC).

Open a command prompt (Start --> Run --> CMD)

Reset the GPO(s)

-To reset the Domain GPO, type
  • dcgpofix /target:Domain
-To reset the Default DC GPO, type
  • dcgpofix /target:DC
-To reset both the Domain and Default Domain Controller GPOs, type
  • dcgpofix /target:both

After you enter the appropriate command in Step 3, enter Y to both prompts.

Close the command prompt

If you type the command dcgpofix /target:both, you should expect to see the following output:

Microsoft(R) Windows(R) Operating System Default Group Policy Restore Utility v5.1


Copyright (C) Microsoft Corporation. 1981-2003

Description: Recreates the Default Group Policy Objects (GPOs) for a domain

Syntax: DcGPOFix [/ignoreschema] [/Target: Domain | DC | BOTH]

This utility can restore either or both the Default Domain policy or the Default Domain Controller policy to the state that exists immediately after a clean install. You must be a domain administrator to perform this operation.

WARNING: YOU WILL LOSE ANY CHANGES YOU HAVE MADE TO THESE GPOs. THIS UTILITY IS INTENDED ONLY FOR DISASTER RECOVERY PURPOSES.

You are about to restore Default Domain policy and Default Domain Controller policy for the following domain


itgeared.com


Do you want to continue: ? Y


WARNING: This operation will replace all 'User Rights Assignments' made in the chosen GPOs. This may render some server applications to fail.


Do you want to continue: ? Y


The Default Domain Policy was restored successfully.

Note: Only the contents of the Default Domain policy was restored. Group Policy links to this Group Policy Object were not altered. By default, the Default Domain policy is linked to the Domain.

The Default Domain Controller policy was restored successfully.

Note: Only the contents of the Default Domain Controller policy was restored. Group Policy links to this Group Policy Object were not altered.

By default, the Default Domain Controller policy is linked to the Domain Controllers OU.


Additional resources and considerations:
Error message when you run the Dcgpofix.exe tool on a Windows Server 2008-based domain controller: "The Active Directory schema version for this domain and the version for this tool do not match":  http://support.microsoft.com/kb/947053

Description of Group Policy settings that are associated with RIS in Windows Server 2008
http://support.microsoft.com/kb/946395/en-us

The Dcgpofix tool does not restore security settings in the Default Domain Controller Policy to their original state
http://support.microsoft.com/kb/833783

Please help us spread the word by socializing it today!

email contact us

Did you find something wrong with the information on this page? Please take a moment to report it to us so that we can continue to improve the quality of the information on this site. Click here to report an issue with this page.



Recommended Books & Training Resources

Windows Server 2008 R2 Unleashed MCITP Windows Server 2008 Enterprise Administrator: Training Kit 4-Pack: Exams 70-640 70-642 70-643 70-647