How to reset the Default Domain Group Policy Objects (DCGPOFIX)

gp_logoIf you have ever read my Best Practice for Group Policy blog post then you will know that I encourage you to edit the default domain GPO’s sparingly. The only exception I would make to this rule is when you want to modify the default domain password policy but even then you can create a new password policy GPO linked at the domain level (See Tutorial: How to setup Default and Fine Grain Password Policy )

Even if you don’t want to take my word for it here is a reference on the TechNet web site say pretty much the same thing… 

TechNet: Establishing Group Policy Operational Guidelines

Do not modify the default domain policy or default domain controller policy unless necessary. Instead, create a new GPO at the domain level and set it to override the default settings in the default policies.

So… Lets assume you have done everything wrong and either the Default Domain and/or the Default Domain Controller Group Policy objects have been modified and you want to reset them back. Of course you have a backup of the GPO’s which are good and you simply restore them…. Winking smile

BUT… You have never backed up the default GPO’s and you need to reset the setting…. Well the tool that allows you to do this is called DCGPOFIX and it can be found on any Windows Server 2003 or later windows server.

NOTE: Even though we are restoring the default domain GPO’s back to a default setting doing so may still cause more issues. Therefore make sure you have a current back of your default domain so you can easily undo this change if needed (see below).

image

image

TIP: Even if you are not going to run this command I would still make of these Default Domain GPO’s now…  right now…. Go on… Its not going to hurt and this will at least give you something to roll back if you need to in the future.

The command to restore the GPO’s to default is as simple as running the “DCGPOFIX.exe” from a command line and press “Y” twice when prompted.

image

Now you are done. You will notice any changes to the GPO have now been removed or reverted back to the default settings. Monitor your systems for any adverse affect and make sure that you have another backup of the GPO’s for future reference.

Note: By default this command will not run if the version of the OS does not match that of the Schema version in AD.

References:

Author: Alan Burchill

Microsoft MVP (Group Policy)

24 thoughts on “How to reset the Default Domain Group Policy Objects (DCGPOFIX)

  1. I used this to successfully fix an error in my default domain policy that was only allowing users with local admin rights to log on to machines. Very helpful, thanks.

  2. HOW TO REVERT PC BACK TO DEFAULT DOMAIN
    I really hope someone will be able to help me with this issue.

    My Neighbor who is 72 yrs old asked me (62yrs) to assist him with his laptop. His wife passed away and he cannot use the laptop because it is password protected, by the company she worked for. He has no PC or Cell phone savvy and only wants to use the PC to send and receive emails regarding his investments etc.

    I loaded a Windows 7 Professional CD to bypass the domain settings and created a User Profile for him. However, I no longer have the KEY for this CD and MS indicates that the PC might be a victim of illegal installation.

    I’ve tried uninstalling the Windows 7 Professional program, but it does not even show up in the programs.

    (He found a piece of paper in her jewellery box with a password on – which he would like to try.)
    How can I “undo” my “creation” to get back to his late wife’s section of the PC?

  3. Hi Sue, please contact a professional computer services company to assist you further and do not attempt to fix this yourself any further. If there is important data on the computer please ask them to first of all make a backup image of the entire computer which will ensure your data is recoverable in the event it is destroyed by further changes or if the PC gets lost or damaged. Then they should be able to export your data and ideally re-install the system. I’m not sure they’ll be able to give you access to the user account used by your neighbor’s wife however they will most definitely be able to export all files and user data (browsing history, emails in certain situations, etc.), set up a new system and restore your data.

  4. I getting group policy error 1058 in windows server 2008 r2 I check in sysvol folder the policies folder was empty so how can I reset both domain controller policy and domain policy ? if I disable that policy than domain user not able to login in computer error is sign in method is defferent.

  5. The processing of Group Policy failed. Windows attempted to read the file gpt.ini file from the domain controller.
    but the error occured in the domain controller itself

    due to that all applications are getting hanged after few seconds and unable to start some sql services and other network services
    please help

Leave a Reply