Solved

Resetting GPO in Windows 2012 domain

Posted on 2014-09-16
9
1,427 Views
Last Modified: 2014-09-17
I created a couple of GPOs for Remote Access and now I can't log onto domain from clients. As far as I know, Once GPO is configured from unconfigured to Enable/Disable, Simply changing back to unconfigured whill not be propagated to clients. In this case, which way is the proper way to roll back? Putting back the backed up GPO won't change either because all of settings were unconfigured. I realized that backing up GPOs won't do much in this case.

Looking at online, dcgpofix.exe will do the job, but any other way?

How about enforcing the Default Domain Policy? Will that reset all changed settings from 'Enabled/Disabled' to 'Unconfigured' if the Default Domain Policy has 'Unconfigured' for the matching settings?
0
Comment
Question by:crcsupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 58

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 84 total points
ID: 40326632
MOST group policy settings have a "default" when set to unconfigured. So changing a setting back to u configured *does* propagate to the client and the original default will take effect again.
0
 
LVL 3

Accepted Solution

by:
Josef Al-Chacar earned 167 total points
ID: 40326637
Try changing the policy from enabled to disabled. Then log in locally to the client and to a gpupdate /force. Or you can just reboot the machine and it will update.

Or you may be able to re-add the client to the domain. Just add it to a workgroup then the domain and reboot. Do this after you change the policy back.
0
 
LVL 3

Assisted Solution

by:Josef Al-Chacar
Josef Al-Chacar earned 167 total points
ID: 40326639
I believe in server 2012 you can do a gpupdate from the server itself.
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 83 total points
ID: 40326659
Be sure to familiarize yourself with "Tatooing"

http://sdmsoftware.com/gpoguy/whitepapers/understanding-policy-tattooing/
0
 
LVL 13

Assisted Solution

by:Natty Greg
Natty Greg earned 83 total points
ID: 40326681
disable it and force domian default policy, then reboot all client machine to access the new policy
0
 
LVL 1

Author Comment

by:crcsupport
ID: 40326834
I had the trouble with one Windows 8 VM and one windows 2012 DC VM.

Disabling 50-100 GPO settings seemed to me a way to avoid, I wanted to find an easy way to reset GPO settings and propagate to clients.

So, I deleted the 2 trouble GPOs and enforced in the domain, rebooted the two VMs, nothing happened, still logon problem.

For Windows 8 VM, I removed from AD, then logoon locally to the client and rejoined the domain, problem was solved.

For Windows 2012 DC VM, doing the same was not possible, because it's DC, AD console doesn't allow me to remove the DC simply, warned me to demote the DC first. I didn't like to do this, but kept it as the last choice.

I didn't explain this at the beginning, but, unlike Windows 8 cleint, somehow after 5 minutes later after booting, I was able to log onto Windows 2012 server. It still gives the same logon error until then. So, I log onto the trouble DC, then ran gpupdate locally to see if it was the communication problem, no luck.

Then, I reset Local Group Policy(gpedit.msc)  in the DC by running;
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

The problem on the trouble DC is gone. I can log on normally.

From this  experience, I think 'unconfigured' is not propagated to clients. I think the proper way to reset improperly configured GPOs is to going through all settings and disable settings or to reset Local Group Policy and rejoin domain.
0
 
LVL 1

Author Comment

by:crcsupport
ID: 40326837
I will keep this post for a while to see what others say more.
0
 
LVL 23

Assisted Solution

by:rhandels
rhandels earned 83 total points
ID: 40327922
The problem with policies is that a multitude of policies is called a tattoeing policy (see dstewartjr's post). This means that if you set a policy to enabled or disabled it will change the registry setting (cause that's all that a GPO is, a bunch of registry settings, just check the adm/admx files) but will not change it to it's original state if you set it to unconfigured.

The only way to change it is to set it the other way around (being from Enabled to Disabled) or add a registry key to the GPO that sets the reg key to the default value (if you still know what that was).

The problem with GPO's (believe me, I've seen to many) is that although it does seem tempting to set these up it's effects can be devastating and the effects are almost instant. User settings are applied when the GPO is updated (which in default is 90 minutes) and after that all settings are applied.. Sometimes with no easy way back..

Needless to say to be carefull with GPO's..
0
 
LVL 1

Author Comment

by:crcsupport
ID: 40328280
This is for my own guideline to troubleshoot GPO. If anyone wants to comment, please do so.

If multiple computers acts weird after new roles installed on server, GPO is changed, it’s most likely GPO problem.

1.      Find the suspected GPO.
2.      Create a OU and put one of the trouble computer to it.
3.      Copy the GPO found in step 1 and create a new GPO.
4.      Reverse all GPO settings on the new GPO, then apply to the new OU created in step 2.
5.      Gpdupate on the trouble computer.
6.      If problem is fixed, it’s caused by one of GPO settings, start rolling back some of settings and run gpdupate on the trouble computer to find which setting is caused.
7.      If the problem was not fixed in step 6, it’s probably because of tattooing. Tatooing is the result that GPO settings(mostly settings under Administrative Template) changed registry settings of GPO clients, but even though the GPO setting is changed from Enabled/Disabled to unconfigure, it still leaves the change on the registry causing any problem. One way to find if this is the problem, restore registry or resetting Local Group Policy (gpedit.msc). However, this is also not recommended to do on any production server if the registry backup is done daily.

Reset LGP: secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

8.      If this doesn’t fix the problem, it’s probably something else.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question