Solved

Resetting GPO in Windows 2012 domain

Posted on 2014-09-16
9
1,183 Views
Last Modified: 2014-09-17
I created a couple of GPOs for Remote Access and now I can't log onto domain from clients. As far as I know, Once GPO is configured from unconfigured to Enable/Disable, Simply changing back to unconfigured whill not be propagated to clients. In this case, which way is the proper way to roll back? Putting back the backed up GPO won't change either because all of settings were unconfigured. I realized that backing up GPOs won't do much in this case.

Looking at online, dcgpofix.exe will do the job, but any other way?

How about enforcing the Default Domain Policy? Will that reset all changed settings from 'Enabled/Disabled' to 'Unconfigured' if the Default Domain Policy has 'Unconfigured' for the matching settings?
0
Comment
Question by:crcsupport
9 Comments
 
LVL 56

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 84 total points
ID: 40326632
MOST group policy settings have a "default" when set to unconfigured. So changing a setting back to u configured *does* propagate to the client and the original default will take effect again.
0
 
LVL 3

Accepted Solution

by:
Josef Al-Chacar earned 167 total points
ID: 40326637
Try changing the policy from enabled to disabled. Then log in locally to the client and to a gpupdate /force. Or you can just reboot the machine and it will update.

Or you may be able to re-add the client to the domain. Just add it to a workgroup then the domain and reboot. Do this after you change the policy back.
0
 
LVL 3

Assisted Solution

by:Josef Al-Chacar
Josef Al-Chacar earned 167 total points
ID: 40326639
I believe in server 2012 you can do a gpupdate from the server itself.
0
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 83 total points
ID: 40326659
Be sure to familiarize yourself with "Tatooing"

http://sdmsoftware.com/gpoguy/whitepapers/understanding-policy-tattooing/
0
 
LVL 9

Assisted Solution

by:nattygreg
nattygreg earned 83 total points
ID: 40326681
disable it and force domian default policy, then reboot all client machine to access the new policy
0
 
LVL 1

Author Comment

by:crcsupport
ID: 40326834
I had the trouble with one Windows 8 VM and one windows 2012 DC VM.

Disabling 50-100 GPO settings seemed to me a way to avoid, I wanted to find an easy way to reset GPO settings and propagate to clients.

So, I deleted the 2 trouble GPOs and enforced in the domain, rebooted the two VMs, nothing happened, still logon problem.

For Windows 8 VM, I removed from AD, then logoon locally to the client and rejoined the domain, problem was solved.

For Windows 2012 DC VM, doing the same was not possible, because it's DC, AD console doesn't allow me to remove the DC simply, warned me to demote the DC first. I didn't like to do this, but kept it as the last choice.

I didn't explain this at the beginning, but, unlike Windows 8 cleint, somehow after 5 minutes later after booting, I was able to log onto Windows 2012 server. It still gives the same logon error until then. So, I log onto the trouble DC, then ran gpupdate locally to see if it was the communication problem, no luck.

Then, I reset Local Group Policy(gpedit.msc)  in the DC by running;
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

The problem on the trouble DC is gone. I can log on normally.

From this  experience, I think 'unconfigured' is not propagated to clients. I think the proper way to reset improperly configured GPOs is to going through all settings and disable settings or to reset Local Group Policy and rejoin domain.
0
 
LVL 1

Author Comment

by:crcsupport
ID: 40326837
I will keep this post for a while to see what others say more.
0
 
LVL 23

Assisted Solution

by:rhandels
rhandels earned 83 total points
ID: 40327922
The problem with policies is that a multitude of policies is called a tattoeing policy (see dstewartjr's post). This means that if you set a policy to enabled or disabled it will change the registry setting (cause that's all that a GPO is, a bunch of registry settings, just check the adm/admx files) but will not change it to it's original state if you set it to unconfigured.

The only way to change it is to set it the other way around (being from Enabled to Disabled) or add a registry key to the GPO that sets the reg key to the default value (if you still know what that was).

The problem with GPO's (believe me, I've seen to many) is that although it does seem tempting to set these up it's effects can be devastating and the effects are almost instant. User settings are applied when the GPO is updated (which in default is 90 minutes) and after that all settings are applied.. Sometimes with no easy way back..

Needless to say to be carefull with GPO's..
0
 
LVL 1

Author Comment

by:crcsupport
ID: 40328280
This is for my own guideline to troubleshoot GPO. If anyone wants to comment, please do so.

If multiple computers acts weird after new roles installed on server, GPO is changed, it’s most likely GPO problem.

1.      Find the suspected GPO.
2.      Create a OU and put one of the trouble computer to it.
3.      Copy the GPO found in step 1 and create a new GPO.
4.      Reverse all GPO settings on the new GPO, then apply to the new OU created in step 2.
5.      Gpdupate on the trouble computer.
6.      If problem is fixed, it’s caused by one of GPO settings, start rolling back some of settings and run gpdupate on the trouble computer to find which setting is caused.
7.      If the problem was not fixed in step 6, it’s probably because of tattooing. Tatooing is the result that GPO settings(mostly settings under Administrative Template) changed registry settings of GPO clients, but even though the GPO setting is changed from Enabled/Disabled to unconfigure, it still leaves the change on the registry causing any problem. One way to find if this is the problem, restore registry or resetting Local Group Policy (gpedit.msc). However, this is also not recommended to do on any production server if the registry backup is done daily.

Reset LGP: secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

8.      If this doesn’t fix the problem, it’s probably something else.
0

Join & Write a Comment

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
A procedure for exporting installed hotfix details of remote computers using powershell
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now