9.22. Restoring a Default GPO
Problem
You’ve made changes to the Default Domain Security Policy, Default Domain Controller Security Policy, or both, and now want to reset them to their original configuration.
Solution
Tip
This tool can be run only from a Windows Server 2003 domain controller.
Using a command-line interface
The following command
would replace both the Default
Domain Security Policy and Default Domain Controller Security Policy.
You can specify Domain
or DC
instead of Both
, to only restore one or the other.
> dcgpofix /target:Both
Note that this must be run from a domain controller in the target domain where you want to reset the GPO.
Discussion
If you’ve ever made changes to the default GPOs and
would like to revert back to the original settings, the
dcgpofix
utility
is your solution. dcgpofix
works with a particular version of the schema. If the version it
expects to be current is different from what is in Active Directory,
it will not restore the GPOs. You can work around this by using
the /ignoreschema
switch, which will restore the GPO according to the
version dcgpofix
thinks is
current. The only time you might experience this issue is if you
install a service pack on a domain controller (dc1) that extends the
schema, but have not installed it yet on a second domain controller
(dc2). If you try to run
dcgpofix
from dc2,
you will receive the error since a new version of the schema and
the dcgpofix
utility was installed on dc1.
Get Active Directory Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.