If you have ever read my Best Practice for Group Policy blog post then you will know that I encourage you to edit the default domain GPOâ€™s sparingly. The only exception I would make to this rule is when you want to modify the default domain password policy but even then you can create a new password policy GPO linked at the domain level (See Tutorial: How to setup Default and Fine Grain Password Policy )
Even if you donâ€™t want to take my word for it here is a reference on the TechNet web site say pretty much the same thingâ€¦
Do not modify the default domain policy or default domain controller policy unless necessary. Instead, create a new GPO at the domain level and set it to override the default settings in the default policies.
Soâ€¦ Lets assume you have done everything wrong and either the Default Domain and/or the Default Domain Controller Group Policy objects have been modified and you want to reset them back. Of course you have a backup of the GPOâ€™s which are good and you simply restore themâ€¦.
BUTâ€¦ You have never backed up the default GPOâ€™s and you need to reset the settingâ€¦. Well the tool that allows you to do this is called DCGPOFIX and it can be found on any Windows Server 2003 or later windows server.
NOTE: Even though we are restoring the default domain GPOâ€™s back to a default setting doing so may still cause more issues. Therefore make sure you have a current back of your default domain so you can easily undo this change if needed (see below).
TIP: Even if you are not going to run this command I would still make of these Default Domain GPOâ€™s nowâ€¦ right nowâ€¦. Go onâ€¦ Its not going to hurt and this will at least give you something to roll back if you need to in the future.
The command to restore the GPOâ€™s to default is as simple as running the â€œDCGPOFIX.exeâ€ from a command line and press â€œYâ€ twice when prompted.
Now you are done. You will notice any changes to the GPO have now been removed or reverted back to the default settings. Monitor your systems for any adverse affect and make sure that you have another backup of the GPOâ€™s for future reference.
Note: By default this command will not run if the version of the OS does not match that of the Schema version in AD.