Resetting GPO in Windows 2012 domain
I created a couple of GPOs for Remote Access and now I can't log onto domain from clients. As far as I know, Once GPO is configured from unconfigured to Enable/Disable, Simply changing back to unconfigured whill not be propagated to clients. In this case, which way is the proper way to roll back? Putting back the backed up GPO won't change either because all of settings were unconfigured. I realized that backing up GPOs won't do much in this case.
Looking at online, dcgpofix.exe will do the job, but any other way?
How about enforcing the Default Domain Policy? Will that reset all changed settings from 'Enabled/Disabled' to 'Unconfigured' if the Default Domain Policy has 'Unconfigured' for the matching settings?
Looking at online, dcgpofix.exe will do the job, but any other way?
How about enforcing the Default Domain Policy? Will that reset all changed settings from 'Enabled/Disabled' to 'Unconfigured' if the Default Domain Policy has 'Unconfigured' for the matching settings?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I will keep this post for a while to see what others say more.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is for my own guideline to troubleshoot GPO. If anyone wants to comment, please do so.
If multiple computers acts weird after new roles installed on server, GPO is changed, it’s most likely GPO problem.
1. Find the suspected GPO.
2. Create a OU and put one of the trouble computer to it.
3. Copy the GPO found in step 1 and create a new GPO.
4. Reverse all GPO settings on the new GPO, then apply to the new OU created in step 2.
5. Gpdupate on the trouble computer.
6. If problem is fixed, it’s caused by one of GPO settings, start rolling back some of settings and run gpdupate on the trouble computer to find which setting is caused.
7. If the problem was not fixed in step 6, it’s probably because of tattooing. Tatooing is the result that GPO settings(mostly settings under Administrative Template) changed registry settings of GPO clients, but even though the GPO setting is changed from Enabled/Disabled to unconfigure, it still leaves the change on the registry causing any problem. One way to find if this is the problem, restore registry or resetting Local Group Policy (gpedit.msc). However, this is also not recommended to do on any production server if the registry backup is done daily.
Reset LGP: secedit /configure /cfg %windir%\repair\secsetup.i
8. If this doesn’t fix the problem, it’s probably something else.
If multiple computers acts weird after new roles installed on server, GPO is changed, it’s most likely GPO problem.
1. Find the suspected GPO.
2. Create a OU and put one of the trouble computer to it.
3. Copy the GPO found in step 1 and create a new GPO.
4. Reverse all GPO settings on the new GPO, then apply to the new OU created in step 2.
5. Gpdupate on the trouble computer.
6. If problem is fixed, it’s caused by one of GPO settings, start rolling back some of settings and run gpdupate on the trouble computer to find which setting is caused.
7. If the problem was not fixed in step 6, it’s probably because of tattooing. Tatooing is the result that GPO settings(mostly settings under Administrative Template) changed registry settings of GPO clients, but even though the GPO setting is changed from Enabled/Disabled to unconfigure, it still leaves the change on the registry causing any problem. One way to find if this is the problem, restore registry or resetting Local Group Policy (gpedit.msc). However, this is also not recommended to do on any production server if the registry backup is done daily.
Reset LGP: secedit /configure /cfg %windir%\repair\secsetup.i
8. If this doesn’t fix the problem, it’s probably something else.
ASKER
Disabling 50-100 GPO settings seemed to me a way to avoid, I wanted to find an easy way to reset GPO settings and propagate to clients.
So, I deleted the 2 trouble GPOs and enforced in the domain, rebooted the two VMs, nothing happened, still logon problem.
For Windows 8 VM, I removed from AD, then logoon locally to the client and rejoined the domain, problem was solved.
For Windows 2012 DC VM, doing the same was not possible, because it's DC, AD console doesn't allow me to remove the DC simply, warned me to demote the DC first. I didn't like to do this, but kept it as the last choice.
I didn't explain this at the beginning, but, unlike Windows 8 cleint, somehow after 5 minutes later after booting, I was able to log onto Windows 2012 server. It still gives the same logon error until then. So, I log onto the trouble DC, then ran gpupdate locally to see if it was the communication problem, no luck.
Then, I reset Local Group Policy(gpedit.msc) in the DC by running;
secedit /configure /cfg %windir%\repair\secsetup.i
The problem on the trouble DC is gone. I can log on normally.
From this experience, I think 'unconfigured' is not propagated to clients. I think the proper way to reset improperly configured GPOs is to going through all settings and disable settings or to reset Local Group Policy and rejoin domain.