Paginas

14 June 2016

How to Recreate Active Directory Default Domain Policy GPO



A few months ago, I had a problem in a costumer where the Default GPOs ("Default Domain Policy"or/and the "Default Domain Controller Policy") were corrupted. I think the error was 0xc00ce509 and this will usually show up in the Group Policy management console.
If you have this errors, then your GPOs are not being applied at all.

The solution is simple!


Use the dcgpofix tool included with Windows 2008 and 2012 to recreate the policies with their default settings, so let's see how to do it.
  1. Launch PowerShell or Command Prompt with Administrative rights;
  2. Run the dcgpofix utility with the /target switch to specify whether it should recreate the "Default Domain Policy" (/target:domain), the "Default Domain Controller Policy" (/target:dc) or both (/target:both). NOTE: This action will complete wipe your existing policies ("Default Domain Policy" and/or "Default Domain Controller Policy")
  3. Run the Group Policy management console (gpmc.msc) and verify the policies are not showing without any errors
So, if you want to regenerate the "Default Domain Policy" you will enter the following:
dcgpofix /target:domain
 

If the fix completes successfully but the policies are still showing errors, you many need to manually rename the files in the SYSVOL folder:
  1. Open \\your-domain\sysvol\your-domainPolicies in an Explorer window
  2. You see 2 folders with the unique ID of the policy you just recreated, one of which appended with the string "_NTFRS_" and a hexadecimal number. The folder without the additional string is the original (i.e. broken) policy, while the other is the newly created policy;
  3. Rename the folders so that the new created policy’s folder has only the unique ID.

No comments:

Post a Comment