none
How to reset Default Domain Policy??? RRS feed

  • Question

  • Hi guys!!!

    I am the new network administrator of a small company. I am wondering if there is any way to reset the default domain policy of W3k server network because of the following reason:

    The last IT admin of the company placed all the computers under the folder "computers" and all the users under the folder "users" in the root domain tree and under these folders no policy is applied to any of the users or computers. Since i am trying to organize the domain tree creating OUs and moving the users and computers to their specific locations, the default domain policiy started applying to all items and i started having all kind of strange behaviors on my devices like.... Can not connect to servers through remote desktop; it asks for terminal services authentication...; and all kinds of stuff.

    I think he changed the configuration of the dafault domain policy!!!

    Regards
    Friday, August 21, 2009 8:14 AM

Answers


  • Hi

    1. Log on as a domain administrator to a DC.
    2. Start a command session.
    3. To reset the Domain GPO, type
    dcgpofix /target:Domain
    To reset the Default DC GPO, type
    dcgpofix /target:DC
    To reset both the Domain and Default DC GPOs, type
    dcgpofix /target:both

    4.After you enter the appropriate command in Step 3, enter Y to both prompts.
    5. Close the command window.

    Use the command-line tool dcgpofix:
    http://www.windowsitpro.com/Articles/ArticleID/41878/41878.html

    When using Exchange, you should also read the following:
    http://support.microsoft.com/kb/833783/en-us


    Deva


    Dont do what others say - listen to them, but do what you feel good doing.
    Friday, August 21, 2009 8:22 AM
  • I'd advise against using GPOFix (it's typically recommended as "the last resort").

    One less radical option would be to duplicate the existing domain-level group policy settings (GPMC should be helpful here - more info at http://technet.microsoft.com/en-us/library/cc758287(WS.10).aspx) to individual OU-level GPOs - (sounds like you want to separate computers and users into distinct OUs) - block the inheritance on the OU level, and modify each GPO individually (after backing it up with GPMC)...

    Once your environment is stable, you can clean up the domain-level GPOs at your leisure...

    hth
    Marcin

    Friday, August 21, 2009 2:19 PM

All replies


  • Hi

    1. Log on as a domain administrator to a DC.
    2. Start a command session.
    3. To reset the Domain GPO, type
    dcgpofix /target:Domain
    To reset the Default DC GPO, type
    dcgpofix /target:DC
    To reset both the Domain and Default DC GPOs, type
    dcgpofix /target:both

    4.After you enter the appropriate command in Step 3, enter Y to both prompts.
    5. Close the command window.

    Use the command-line tool dcgpofix:
    http://www.windowsitpro.com/Articles/ArticleID/41878/41878.html

    When using Exchange, you should also read the following:
    http://support.microsoft.com/kb/833783/en-us


    Deva


    Dont do what others say - listen to them, but do what you feel good doing.
    Friday, August 21, 2009 8:22 AM
  • This is the result i got. There was some error:

    Copyright (C) Microsoft Corporation. 1981-2003

    Description: Recreates the Default Group Policy Objects (GPOs) for a domain

    Syntax: DcGPOFix [/ignoreschema] [/Target: Domain | DC | BOTH]


    This utility can restore either or both the Default Domain Policy or the
    Default Domain Controllers Policy to the state that exists immediately after
    a clean install. You must be a domain administrator to perform this operation.

    WARNING: YOU WILL LOSE ANY CHANGES YOU HAVE MADE TO THESE GPOs. THIS UTILITY
    IS INTENDED ONLY FOR DISASTER RECOVERY PURPOSES.

    The Active Directory schema version for this domain, and the version supported b
    y this tool do not match. The GPO can be restored using the /ignoreschema comman
    d line parameter. However, it is recommended that you try and obtain an updated
    version of this tool that may have an updated version of the Active Directory sc
    hema. Restoring a GPO with an incorrect schema may result in unpredictable behav
    ior.
    The restore failed.  See previous messages for more details

    Friday, August 21, 2009 8:52 AM
  • I have been searching for the updated version of this tool but i was unable to find it. Since this is a very delicate process is it safe to use the /ignoreschema parameter???

    Regards
    Friday, August 21, 2009 9:19 AM
  • I'd advise against using GPOFix (it's typically recommended as "the last resort").

    One less radical option would be to duplicate the existing domain-level group policy settings (GPMC should be helpful here - more info at http://technet.microsoft.com/en-us/library/cc758287(WS.10).aspx) to individual OU-level GPOs - (sounds like you want to separate computers and users into distinct OUs) - block the inheritance on the OU level, and modify each GPO individually (after backing it up with GPMC)...

    Once your environment is stable, you can clean up the domain-level GPOs at your leisure...

    hth
    Marcin

    Friday, August 21, 2009 2:19 PM
  • I have this issue. I inherited a school district AD 2008R2 domain. It looks like the default domain policy was renamed and used as a WSUS policy. I can rename it, but our password policy seems to be linked to the Default Domain Controllers Policy.  Should I change this to use the default domain and not defaut domain controllers policy? 
    Wednesday, December 5, 2012 3:41 PM
  • You can override using the /ignoreschema switch.  But it may be best to use the version of GPO fix that matches the AD schema version first.  In otherwords if the schema is 2003R2 then use a copy of GPOfix.exe that shipped with 2003r2.  Use the only switch as a last resort.
    Tuesday, April 7, 2015 11:44 PM
  • Renaming the policy means nothing.  If you run GPOFix for example it identifies the GPO by the GUID,...not by the name,...so it will overwrite the policy no matter what it was named. It will also overwrite the name and restore the name back tot he original name.

    To preserve anything important that might be in the policies, make copies of the policies and just leave them unlinked.

    GPOFix will replace the original copies but will not bother the copies you created

    Tuesday, April 7, 2015 11:47 PM
  • I have this issue. I inherited a school district AD 2008R2 domain. It looks like the default domain policy was renamed and used as a WSUS policy. I can rename it, but our password policy seems to be linked to the Default Domain Controllers Policy.  Should I change this to use the default domain and not defaut domain controllers policy? 

    The Domain Password Policy will inherit to the domain from the first linked GPO on the domain NC head (the domain top level object) - It doesn't matter if it's the original "Default Domain Policy" or another policy. In this case I would back up all existing GPOs with GPMC, run GPOFIX and re-create the WSUS policy

    Enfo Zipper
    Christoffer Andersson – Principal Advisor
    http://blogs.chrisse.se - Directory Services Blog

    Wednesday, April 8, 2015 1:21 AM