O'Reilly logo

Active Directory Cookbook by Robbie Allen

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

9.22. Restoring a Default GPO

Problem

You’ve made changes to the Default Domain Security Policy, Default Domain Controller Security Policy, or both, and now want to reset them to their original configuration.

Solution

Tip

This tool can be run only from a Windows Server 2003 domain controller.

Using a command-line interface

The following command would replace both the Default Domain Security Policy and Default Domain Controller Security Policy. You can specify Domain or DC instead of Both, to only restore one or the other.

> dcgpofix /target:Both

Note that this must be run from a domain controller in the target domain where you want to reset the GPO.

Discussion

If you’ve ever made changes to the default GPOs and would like to revert back to the original settings, the dcgpofix utility is your solution. dcgpofix works with a particular version of the schema. If the version it expects to be current is different from what is in Active Directory, it will not restore the GPOs. You can work around this by using the /ignoreschema switch, which will restore the GPO according to the version dcgpofix thinks is current. The only time you might experience this issue is if you install a service pack on a domain controller (dc1) that extends the schema, but have not installed it yet on a second domain controller (dc2). If you try to run dcgpofix from dc2, you will receive the error since a new version of the schema and the dcgpofix utility was installed on dc1.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required