none
Unable to restore domain GPO using DCGPOFIX

    Question

  • Hello,

    We had a ransomware issue that resulted in some of the GPOs being encrypted with the main one being the Default Domain Policy.  I have attempted to create a new Default Domain by using the following command :

     c:\Windows\system32>dcgpofix /target:Domain (run as administrator)

    I answer Y to both questions and then receive the following message:

    Unable to read EFS certificates from Registry.pol file of Default Domain Policy.

     The error was

    Unspecified error

    The restore failed.

    It was unable to be read because Registry.pol file is encrypted.

    Is there anyway around this to be able to run the command?  Stupidly I have no backup of the GPO.  

    Thanks!

    Friday, April 08, 2016 7:15 PM

All replies

  • Hi Babvb,

    I suggest you logon with domain administrator.

    and do not use Run as administrator.

    In addition, the Dcgpofix tool must be run from a DC.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Monday, April 11, 2016 8:14 AM
    Moderator
  • Hi Jay,

    Thanks for the response.  

    I attempted to run the command on a domain controller with domain admin account and receive a message: Error: You have insufficient rights to run this tool.  You must have at leat Domain Administrator rights to run this tool.

    The account that I am using is a domain administrator.

    Thanks

    Monday, April 11, 2016 6:40 PM
  • I created another domain admin account and get the same error.
    Monday, April 11, 2016 6:55 PM
  • Hi Babvb,

    Do you have multiple domain environment?

    If yes, you need use the local domain administrator to run the tool.

    You could also try to run the tool with Enterprise administrator.

    In addition, if these ways above not work, I suggest you troubleshoot with Process Monitor.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, April 12, 2016 7:58 AM
    Moderator
  • > *C:\Users\bbowers>dcgpofix /target: Domain*
     
    If this is copy/paste from the command window where you entered the
    command: Remove the space between "/target:" and "Domain".
     
    Tuesday, April 12, 2016 4:01 PM
  • Thanks Martin I did have the space (which caused a different error).

    Jay, single domain and the account is also a member of the Enterprise administrators group.

    Tuesday, April 12, 2016 5:58 PM
  • I have captured the event using Process Monitor is there an easy way to post the results?
    Tuesday, April 12, 2016 6:02 PM
  • Hi Babvb,

    You could take a screen shot and post it.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, April 14, 2016 6:51 AM
    Moderator
  • https://onedrive.live.com/redir?resid=CC7DDB1693C74C18!5508&authkey=!AB2iKeUjwRL96xk&ithint=file%2cPML

    I have attached link to log file...too large for screen shot.  Thanks!

    Thursday, April 14, 2016 6:47 PM
  • Hi Babvb,

    I cannot open the file you provided, would you post it with another way?

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 18, 2016 9:25 AM
    Moderator
  • Hey Babvb,

    i have the same issue after a ransomware attack , so i was wondering if you found a solution to your problem ? did you succeed in resting the default domain GPO ?

    thanks in advance !

    Basheir

    Wednesday, May 31, 2017 7:14 PM