Reset the Default Domain and Domain Controller Group Policy Objects to their out of box state

,

So, I recently inherited a small client with SBS 2011 and their previous IT admin only ever used the Default Domain Policy to apply computer and users settings (such as mapped drives and printers). Microsoft has quite a strong recommendation of best practice for the two policies which goes along the lines of;

  • Default Domain Policy GPO should only be used to manage the default Account Policies settings, Password Policy, Account Lockout Policy, and Kerberos Policy.
  • Default Domain Controllers Policy GPO should only be used to set user rights and audit policies.

So I first needed to create separate GPOs to store these custom settings and then a way to clear out all of those changes and revert them back to their default state.  So how do you go about reversing the damage if you don’t have backups far enough?

In comes a small utility called dcgpofix which resets these two Group Policy Objects to their default settings. Launch an admin command prompt window and run the following command;

dcgpofix /target:both

Once executed it will confirm you want to restore them to their out of box defaults, which we can confirm with a couple of Y responses and then bang they should be restored, see the screen shot for an example of it running in my test lab.


2 responses to “Reset the Default Domain and Domain Controller Group Policy Objects to their out of box state”

  1. Rikesh Avatar
    Rikesh

    Does this overwrite the existing editted Default Domain policy?

    1. John Avatar
      John

      Hi Rikesh, yes it should. What ever changes that were made from the default configuration are removed.

Leave a Reply

More Posts

Connection closed gracefully error when sending bulk or large quantity of e-mails in an Exchange 2007/2010 environment

I was recently helping out an old work colleague who were having issues with their CRM software and sending bulk emails through their Exchange 2010 server. After around ten minutes they would receive an error message with connection closed gracefully.  They would then have to restart their mail out and need to monitor it for […]

Copying files from one server to another as a different user (two separate domains) using PowerShell

I’ve been working on needed to copy a number of files from one client site to another, my issue is that they have separate Active Directory domains and there is no trust between them. Using PowerShell, we can save a user credential and then use that to map a network drive with them and perform […]

How to Fix being unable to add, edit or delete domain controllers in the Domain Controllers Computer Set on Microsoft TMG or ISA 2006

There seems to be a bug in Microsoft’s TMG (Threat Management Gateway) / ISA 2006 (Internet Security and Acceleration Server) that once installed and configured, prevents an administrator from modifying the entries in the Domain Controllers Computer Set.  This Computer set is used in a number of System Policies and if you ever do an IP […]