Search This Blog

Thursday, September 5, 2013

Default Domain Controllers Policy and Default Domain Policy

This is one of the old ones, I have never had the time to blog.

I some situations you might find you self in so big trouble that you would like to recreate the original Domain and Domain Controllers policies.

This is possible with the command DCGPOFIX

As an example you can restore the Default Domain Controllers Policy with the command DCGPOFix /Target:dc


But be careful - the tool does will not restore the security settings on the policy as you would want it to be.

So if using DCGPOFIX you will must likely need to do some security settings afterwards.

Also be aware that DCGPOFIX will not link the policy to any OU's, so if the default links has been deleted you must create them again in GPMC.

As always a good backup is a better idea, so in order to backup your default gpo's you can use PowerShell and run it at a scheduled interval if needed but remember to cleanup the backups, no need to have to many backups saved.

This will create a backup of the Default Domain Controllers Policy.

Backup-Gpo -Name "Default Domain Controllers Policy" -Path C:\GpoBackups

Please note that the folder C:\GpoBackups in this example must be created before you run the command.


When you would like to restore the backup you can use Restore-Gpo

restore-Gpo -Name "Default Domain Controllers Policy" -Path C:\GpoBackups


This will also restore the security settings as they were at the time of the backup.

Restore-Gpo will as DCGPOFIX also not recreate missing gpo-links and they must be created again if desired.

No comments:

Post a Comment