Wednesday, April 17, 2013

Active Directory Domain Controller GPO Reset

I have these 2x Windows 2012 Domain Controllers that inherited policies from the old GPO which were created since Windows 2003 days. I did not realize there were problems until some of the features that I want to use started acting badly (e.g. access denied, etc).

Obviously the DCs have been joined to the domain and be put in the "Domain Controllers" OU by default after they were dcpromo-ed, which then got the old GPO applied to them.

So to clean them up all the registries, file systems security configuration that have been applied to DC, I need to reset the default domain policy and the default domain controllers policy. Before I do that, I back them up first, just in case.

To clean up the GPO run the following command:


Then I need to clean up the actual settings that have been applied to my DCs by running the following command on each DC:

C:\> secedit /configure /cfg C:\windows\inf\defltdc.inf /db defltdc.sdb /overwrite

Reboot the DC

No comments: