September 2003
Intermediate to advanced
624 pages
15h 49m
English
Content preview from Active Directory CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
9.22. Restoring a Default GPO
Problem
You’ve made changes to the Default Domain Security Policy, Default Domain Controller Security Policy, or both, and now want to reset them to their original configuration.
Solution
Tip
This tool can be run only from a Windows Server 2003 domain controller.
Using a command-line interface
The following command
would replace both the Default
Domain Security Policy and Default Domain Controller Security Policy.
You can specify Domain or DC
instead of Both, to only restore one or the other.
> dcgpofix /target:Both
Note that this must be run from a domain controller in the target domain where you want to reset the GPO.
Discussion
If you’ve ever made changes to the default GPOs and
would like to revert back to the original settings, the
dcgpofix utility
is your solution. dcgpofix
works with a particular version of the schema. If the version it
expects to be current is different from what is in Active Directory,
it will not restore the GPOs. You can work around this by using
the /ignoreschema
switch, which will restore the GPO according to the
version dcgpofix thinks is
current. The only time you might experience this issue is if you
install a service pack on a domain controller (dc1) that extends the
schema, but have not installed it yet on a second domain controller
(dc2). If you try to run
dcgpofix from dc2,
you will receive the error since a new version of the schema and
the dcgpofix
utility was installed on dc1.