How to restore/fix the default Domain Policies in Windows Server

Hello guys!

First of all, you should never modify the default policies in any windows environment (Workstation, Stand alone, Member server or DC), the right way to do it is to create polices based on what ever you want to achievied and link those policies to the appropiate OU. For example: Desktop Control, User Station settings, Base Security Settings, Network Settings, Internet Control, etc.  Well you get the idea, use your imagination and keep it simple but don’t go over board creating one gpo for every setting you want to change.

BUT, if you did not know better, or inherited a windows system from another administrator, you probably have modifications made to the default policies. Or maybe, it’s broken!

To fix this, there is a tool called dcgpofix.exe, with this tool you can recreate the default policies and fix corrupt or ill configured default policies.

  1. Please backup before doing this, even if the policies are broken.  You never know …
  2. Now just execute dcgpofix.exe at the command prompt
  3. You will receive a warning that the policies are going to be overwritten, answer yes to the warning.
  4. You are done!

Well no, somtimes, the dcgpofix tool does not restore security settings in the Default Domain Controller Policy to their original state (http://support.microsoft.com/?KBID=833783)

Also you have to fix the links to the policies on your menu, but thats easy.  Just edit properties of the shortcut and put in the new path.

To fix this issue you should apply the DC Setup Security Template policy.

  1. Open the Group Policy Management Tool an edit the  Default Domain Controller Security Policy.
  2. Go to Computer Configuration\Windows Settings\Security Settings
  3. Right click and choose import.
  4. Pick DC Security or any other template you want to import and hit open.
  5. Finally reload the policies by right clicking security settings and choosing reload or use the command “gpudate /force” or both if you want to be sure.

You may have to modify the procedure depending on the version of windows server you have installed (2003, 2008, 2008R2).

I hope this information helps you in your quest to tame Windows Server, For  more information on this tool go to:

http://technet.microsoft.com/en-us/library/cc739095%28v=ws.10%29.aspx

JQ