Resetting GPO in Windows 2012 domain

Posted on 2014-09-16
Medium Priority
Last Modified: 2014-09-17
I created a couple of GPOs for Remote Access and now I can't log onto domain from clients. As far as I know, Once GPO is configured from unconfigured to Enable/Disable, Simply changing back to unconfigured whill not be propagated to clients. In this case, which way is the proper way to roll back? Putting back the backed up GPO won't change either because all of settings were unconfigured. I realized that backing up GPOs won't do much in this case.

Looking at online, dcgpofix.exe will do the job, but any other way?

How about enforcing the Default Domain Policy? Will that reset all changed settings from 'Enabled/Disabled' to 'Unconfigured' if the Default Domain Policy has 'Unconfigured' for the matching settings?
Question by:crcsupport
LVL 61

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 336 total points
ID: 40326632
MOST group policy settings have a "default" when set to unconfigured. So changing a setting back to u configured *does* propagate to the client and the original default will take effect again.

Accepted Solution

Josef Al-Chacar earned 668 total points
ID: 40326637
Try changing the policy from enabled to disabled. Then log in locally to the client and to a gpupdate /force. Or you can just reboot the machine and it will update.

Or you may be able to re-add the client to the domain. Just add it to a workgroup then the domain and reboot. Do this after you change the policy back.

Assisted Solution

by:Josef Al-Chacar
Josef Al-Chacar earned 668 total points
ID: 40326639
I believe in server 2012 you can do a gpupdate from the server itself.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

LVL 48

Assisted Solution

by:Donald Stewart
Donald Stewart earned 332 total points
ID: 40326659
Be sure to familiarize yourself with "Tatooing"

LVL 14

Assisted Solution

by:Natty Greg
Natty Greg earned 332 total points
ID: 40326681
disable it and force domian default policy, then reboot all client machine to access the new policy

Author Comment

ID: 40326834
I had the trouble with one Windows 8 VM and one windows 2012 DC VM.

Disabling 50-100 GPO settings seemed to me a way to avoid, I wanted to find an easy way to reset GPO settings and propagate to clients.

So, I deleted the 2 trouble GPOs and enforced in the domain, rebooted the two VMs, nothing happened, still logon problem.

For Windows 8 VM, I removed from AD, then logoon locally to the client and rejoined the domain, problem was solved.

For Windows 2012 DC VM, doing the same was not possible, because it's DC, AD console doesn't allow me to remove the DC simply, warned me to demote the DC first. I didn't like to do this, but kept it as the last choice.

I didn't explain this at the beginning, but, unlike Windows 8 cleint, somehow after 5 minutes later after booting, I was able to log onto Windows 2012 server. It still gives the same logon error until then. So, I log onto the trouble DC, then ran gpupdate locally to see if it was the communication problem, no luck.

Then, I reset Local Group Policy(gpedit.msc)  in the DC by running;
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

The problem on the trouble DC is gone. I can log on normally.

From this  experience, I think 'unconfigured' is not propagated to clients. I think the proper way to reset improperly configured GPOs is to going through all settings and disable settings or to reset Local Group Policy and rejoin domain.

Author Comment

ID: 40326837
I will keep this post for a while to see what others say more.
LVL 23

Assisted Solution

rhandels earned 332 total points
ID: 40327922
The problem with policies is that a multitude of policies is called a tattoeing policy (see dstewartjr's post). This means that if you set a policy to enabled or disabled it will change the registry setting (cause that's all that a GPO is, a bunch of registry settings, just check the adm/admx files) but will not change it to it's original state if you set it to unconfigured.

The only way to change it is to set it the other way around (being from Enabled to Disabled) or add a registry key to the GPO that sets the reg key to the default value (if you still know what that was).

The problem with GPO's (believe me, I've seen to many) is that although it does seem tempting to set these up it's effects can be devastating and the effects are almost instant. User settings are applied when the GPO is updated (which in default is 90 minutes) and after that all settings are applied.. Sometimes with no easy way back..

Needless to say to be carefull with GPO's..

Author Comment

ID: 40328280
This is for my own guideline to troubleshoot GPO. If anyone wants to comment, please do so.

If multiple computers acts weird after new roles installed on server, GPO is changed, it’s most likely GPO problem.

1.      Find the suspected GPO.
2.      Create a OU and put one of the trouble computer to it.
3.      Copy the GPO found in step 1 and create a new GPO.
4.      Reverse all GPO settings on the new GPO, then apply to the new OU created in step 2.
5.      Gpdupate on the trouble computer.
6.      If problem is fixed, it’s caused by one of GPO settings, start rolling back some of settings and run gpdupate on the trouble computer to find which setting is caused.
7.      If the problem was not fixed in step 6, it’s probably because of tattooing. Tatooing is the result that GPO settings(mostly settings under Administrative Template) changed registry settings of GPO clients, but even though the GPO setting is changed from Enabled/Disabled to unconfigure, it still leaves the change on the registry causing any problem. One way to find if this is the problem, restore registry or resetting Local Group Policy (gpedit.msc). However, this is also not recommended to do on any production server if the registry backup is done daily.

Reset LGP: secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

8.      If this doesn’t fix the problem, it’s probably something else.

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Sometimes it necessary to set special permissions on user objects.  For instance when using a Blackberry server, the SendAs permission needs to be set. I see many admins struggle with the setting that permission only to see it disappear within a few…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question