Default Domain Policy and Default Comain Controller Policies have incorrect GUID


  • I've just noticed at my work domain that the Default Domain Policy and the Default Domain Controllers Policy both have an incorrect GUID. It looks like they have been renamed, their settings changed and they have been moved elsewhere in the OU tree with new policies created in their place. On top of this we are experiencing some errors (ID 1030 & 1058) in the error log relating to being unable to query for the list of Group Policy objects and that it can't access the gpt.ini file for the Default Domain Controllers policy that has been created.

    I'd like to restore them to their original place and so my plan would be to:

    1. Create new policies with the exact same settings (including security settings)

    2. Link them to the same OU they are current applied to

    3. Unlink the existing ones.

    4. Alter the one's I've just unlinked (the one's with the Domain and Domain Controller GUID) to have the same settings as the ones which have bene created in their place.

    5. Link the Default Domain Policy to the root, and the Default Domain Controllers Policy to the Domain Controllers OU

    6. Unlink the existing ones

    I realise there's dcgpofix, but I'm apprehensive to use this since it's a production environment.

    I also realise it's best practice not to change the Default Domain and Default Domain Controllers policy and so further down the line I will look to extract the settings which aren't default to another GPO. I just wondered if the plan is a sensible one, if it should be executed in that order, and whether there's any particular pitfalls to look out for since the GPO's are the Domain Policy and Default Domain Controllers policy.

    Thanks in advance.

    Tuesday, September 29, 2015 7:43 AM

All replies

  • Hi,

    If you have any good backups of the GPOs or system state backups you could use those to restore your GPOs. Dcpofix will restore the 2 GPOs to original state, which means if you made any changes or added additional settings to any of the 2 those will not be restored. Looks to me that you may have a SYSVOL issue as well. Are the other GPOs working? Is SYSVOL being replicated between your DCs?



    Tuesday, September 29, 2015 7:56 AM
  • Hi Calin, thanks for your reply.

    The changes were made years ago - there are no backups.

    Yes the other GPO's are working, and I can actually see the GPO it complains about in SYSVOL and it has the correct permissions, it's just a Windows 2003 Server throwing the error for whatever reason. I read elsewhere on another tech forum that it was related to the user having deleted one of the default policies, so it was my intention to change them back - I was just wondering about the process and whether there's anything special about the default policies I should watch out for of whether I could literally just swap them back.

    • Edited by Tom TC Tuesday, September 29, 2015 11:02 AM
    Tuesday, September 29, 2015 10:58 AM
  • As already mentioned by Calin, you should only use Dcgpofix as a last resort as you'll lose all changes you made.
    For your steps above, after unlinking the existing ones (step 3), you can manually create new default GPOs instead of altering the older ones.
    For the detailed steps on How to manually create Default Domain GPO, please refer to this KB article:



    Ethan Hua

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact

    Monday, October 05, 2015 10:14 AM
  • Thanks Ethan, and there's no issue with swapping the policies out i.e. unlinking them and relinking a new GPO in its place if the settings are the same? I'm just a little concerned given how widespread their effects are.
    Tuesday, October 06, 2015 9:14 AM