Remove GPO from Server 2012 R2

How do i go about removing/resetting the Default Domain Policy on a Server 2012 R2 server?

The previous admin made all his changes in the Default Domain Policy and when i added applied to "Authenticated Users" to the policy, the policy was sent out to a few of the servers. I originally was just changing the domain password policy but it wasn't getting applied to anyone and i noticed there was no one listed in the "Security Filtering".  

Now it currently tells me when i run gpresult /Scope User /v that the permission is denied. I removed "Authenticated Users" from the "Security Filtering" so it wouldn't push out the policy anymore.  




Also when i do gpupdate /force on the Domain controller (2012 R2 as well), i get a different message.

C:\>gpupdate /force
Updating policy...

Computer Policy update has completed successfully.

The following warnings were encountered during computer policy processing:

Windows failed to record Resultant Set of Policy (RSoP) information, which descr
ibes the scope of Group Policy objects applied to the computer or user. This cou
ld be caused by RSOP being disabled or Windows Management Instrumentation (WMI)
service being disabled, stopped, or other WMI errors. Group Policy settings succ
essfully applied to the computer or user; however, management tools may not repo
rt accurately.
User Policy update has completed successfully.

The following warnings were encountered during user policy processing:

Windows failed to record Resultant Set of Policy (RSoP) information, which descr
ibes the scope of Group Policy objects applied to the computer or user. This cou
ld be caused by RSOP being disabled or Windows Management Instrumentation (WMI)
service being disabled, stopped, or other WMI errors. Group Policy settings succ
essfully applied to the computer or user; however, management tools may not repo
rt accurately.

For more detailed information, review the event log or run GPRESULT /H GPReport.
html from the command line to access information about Group Policy results.

if i type GPRESULT /H GPReport, i get access denied.
AfternoonShiftAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
The default policies cannot be removed. They are "special" much like the default "Administrator" account, for a loose comparison.

You *can* reset the policies to their original state.  The command "dcgpofix.exe" will wipe and restore all of the original in-box settings.  Because this is destructive, have a full system-state backup before attempting this procedure.  IF other changes were made in other policies, you could find you've locked yourself out of the system or caused more widespread corruption if you aren't careful.
0
AfternoonShiftAuthor Commented:
Is there a way i can force them to reset on just a local computer/server? since they cannot be removed.

I change the default domain policy all back to default manually.  Instead of using "Authenticated Users",  can i just add a single user for testing?

Could i also make another GPO and make it force to overwrite the Default domain Policy?
0
SandeshdubeySenior Server EngineerCommented:
Yes, you can define the policy to revert the same. Instead of adding authenticated users add user or computer as per policy need. If it is user based policy then user should be added or computer if it computer based policy.

It better you check the policy one of the client computer or server by running rsop to understand the policy applied and then  create a test ou and move the user or computer to test OU and apply the GPO as per requirement.

In case if you want to restore Default Domain GPO then you can do that but it will be restore to default and old policy setting will be lost. http://www.windowsitpro.com/article/group-policy/how-can-i-restore-the-contents-of-the-default-domain-and-default-domain-controller-dc-group-policy-objects-gpos-

Hope this helps
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

AfternoonShiftAuthor Commented:
Thanks. Yeah before the bad policy was deployed, i could run rsop... but whichever PC has the policy applied i get access denied.  I will give a few of your suggestions a try and update. thanks to both comments so far!
0
SandeshdubeySenior Server EngineerCommented:
Open the command prompt as run as administrator on Server or client and run gpresult /h C:\GP.html. This will create GP.html file in C volume. Open the html file and see if you can view the policies applied.
0
AfternoonShiftAuthor Commented:
Here is what i get when i run this on the DC or on a client with the bad Default Group Policy.

C:\>gpresult /h C:\GP.html
ERROR: Access Denied.


i did make a OU called "testing" added a user and computer to one of the affected client computers. i then made a new GPO and enforced it. GPO is mostly blank, besides a few options to see if it applied. Nothing seemed to change on the clients PC. I did go into regedit, and looked under HLM -> Group Policy -> History and i can see just the enforced GPO and the Local GPO.

I still get this error when i do gpupdate as well.

Windows failed to record Resultant Set of Policy (RSoP) information, which descr
ibes the scope of Group Policy objects applied to the computer or user. This cou
ld be caused by RSOP being disabled or Windows Management Instrumentation (WMI)
service being disabled, stopped, or other WMI errors. Group Policy settings succ
essfully applied to the computer or user; however, management tools may not repo
rt accurately.

tho both services are running.
0
SandeshdubeySenior Server EngineerCommented:
Can you enable Block inheritance on testing OU and reboot the server or client which is testing OU and check the result.

I will recommend moving one client computer and user to testing OU and then test.
0
AfternoonShiftAuthor Commented:
ok. i did that to the workstation and rebooted. Still won't let me do rsop.msc and still get an error when doing gpupdate /force

I haven't rebooted the server since all this went down either, tho its at the end of the work week so i can do that now without anyone in the building.

I had another idea of maybe enabled the old strict one, but changing all the options that were enabled to disabled. instead of "not defined"...not sure if that would force a change to the servers and clients.
0
SandeshdubeySenior Server EngineerCommented:
Yes, you can apply the old gpo and set the gpo setting to disable as per requirements and check.
0
AfternoonShiftAuthor Commented:
Everything seems to be running smoothly again. While i still have 1 PC that won't remove some of the bad GPO...all the others have picked it up and applied the settings.  Thanks for your help Sandeshdubey & Cliff.

Once i enabled the OLD GPO with the settings back to default and tested on a few machines that were online, it seemed to take effect. Thankfully i still have a 2003 server online, so i could removed the settings that are no longer listed in the 2012 R2 Default Domain Policy.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.