Best practice stipulates that you shouldn’t modify the Default Domain and Default DC GPOs. Instead, you should create new GPOs and link them to the relevant containers. However, if you’ve already modified the GPO and want to restore the default content, perform the following steps:
- Log on as a domain administrator to a DC.
- Start a command session.
- To reset the Domain GPO, type
To reset the Default DC GPO, type
To reset both the Domain and Default DC GPOs, type
- After you enter the appropriate command in Step 3, enter Y to both prompts.
- Close the command window.
For example, when I type
my computer returns the following output:
Microsoft(R) Windows(R) Operating System Default Group Policy Restore Utility v5.1 Copyright (C) Microsoft Corporation. 1981-2003 Description: Recreates the Default Group Policy Objects (GPOs) for a domain Syntax: DcGPOFix [/ignoreschema] [/Target: Domain | DC | BOTH] This utility can restore either or both the Default Domain policy or the Default Domain Controller policy to the state that exists immediately after a clean install. You must be a domain administrator to perform this operation. WARNING: YOU WILL LOSE ANY CHANGES YOU HAVE MADE TO THESE GPOs. THIS UTILITY IS INTENDED ONLY FOR DISASTER RECOVERY PURPOSES. You are about to restore Default Domain policy and Default Domain Controller policy for the following domain savilltech.com Do you want to continue: ? Y WARNING: This operation will replace all 'User Rights Assignments' made in the chosen GPOs. This may render some server applications to fail. Do you want to continue: ? Y The Default Domain Policy was restored successfully. Note: Only the contents of the Default Domain policy was restored. Group Policy links to this Group Policy Object were not altered. By default, the Default Domain policy is linked to the Domain. The Default Domain Controller policy was restored successfully. Note: Only the contents of the Default Domain Controller policy was restored. Group Policy links to this Group Policy Object were not altered. By default, the Default Domain Controller policy is linked to the Domain Controllers OU.