At some point in a consultant’s travels, they will come across group policies that nightmares are made of. Let’s quickly talk about one of those things that happens all too often; modifying the Default Domain Policy and Default Domain Controller Policy.
In general, the recommendation is to leave the Default Domain Policy and the Default Domain Controller Policy as basic as possible. The industry and Microsoft’s recommendation is to make minimal changes to both policies and add your own group policy objects (GPOs). The reason we often see large amounts of modifications to the default policies is that it’s very easy to create GPOs that are squashing each other.
One interesting situation I came across a few weeks ago was at a school customer of ours. For whatever reason, they were completely missing their Default Domain Policy and Default Domain Controllers Policy. We weren’t entirely sure if they had been renamed and used for a different purpose by the previous consultants, or if they were simply removed to get around the default account security. Regardless, we needed to re-create them properly. The process for re-creating them could also be used in situations where the default policies are messed up and you’d like to start over completely with the default settings.
Here’s how we get this cleaned up…
First, if they’re still in place, let’s take a backup of the policies just in case we need to reference something from them later on. In the Group Policy Management tool, click on Group Policy Objects, select the two policies, and right-click and backup.
Now we can get started with restoring the Default Domain Policy and Default Domain Controller Policy that come out-of-box with the Windows Server operating system. Open up a Command Prompt as administrator.
To restore the default domain policies, just simply run the command “DCGPOFIX” and press Y in all the prompts it asks after carefully reading and understanding what is about to happen. Any existing GPO named Default Domain Policy and Default Domain Controller Policy will be removed and replaced with the default policy.
Take note of the /Target: option the command gives us. We can choose to restore the Domain (Default Domain Policy) or DC (Default Domain Controller Policy) exclusively if you prefer. By default, BOTH policies will be restored if you exclude the Target parameter.
In some instances (like on this particular Windows 2008 R2 domain controller on a Windows 2008 Domain) you will encounter this error.
In this case you will need to use the switch parameter that is mentioned in the error – /ignoreschema.
After the DCGPOFIX command has finished running, please be sure to review and modify the new Default Domain Policy to set password expirations that are appropriate for your environment as well as any user rights assignments you had within either Default Domain Policy or your Default Domain Controllers Policy.
That should do it! For more information please visit the following link: Microsoft TechNet Core Group Policy Tools (https://technet.microsoft.com/en-us/library/cc784165(WS.10).aspx)