It’s pretty common that I see in installations that someone has changed the default GPOs in Active Directory:

  • Default Domain Policy
  • Default Domain Controller Policy

I always recommend as a best practice not to to edit these GPOs except when absolutely necessary. Why? Simply because it’s best practice and Microsoft confirms it here and here:

  • As a best practice, you should configure the Default Domain Policy GPO only to manage the default Account Policies settings, Password Policy, Account Lockout Policy, and Kerberos Policy“.
  • “As a best practice, you should configure the Default Domain Controllers Policy GPO only to set user rights and audit policies.”
  • “Do not modify the default domain policy or default domain controller policy unless necessary. Instead, create a new GPO at the domain level and set it to override the default settings in the default policies.”

If you want to reset it to default, use the following method:

First, document and/or backup the current GPOs if you need them fore some reason afterwards. Then issue the following commands:

dcgpofix /ignoreschema /target:Domain

dcgpofix /ignoreschema /target:DC

Please notice that if the default GPOs has been deleted, they are only re-created and not linked to the domain and you have to link them yourself.

Note that these default GPOs always have the same GUID which identifies them as the default ones.

  • Domain GPO GUID {31B2F340-016D-11D2-945F-00C04FB984F9}
  • DC GPO GUID {6AC1786C-016F-11D2-945F-00C04FB984F9}

Here are some screenshots of how the default GPOs looks if you prefer to change them manually rather than using dcgpofix since it might feel a bit drastic. I have also experienced a problem with dcgpofix where it gives me the error “unable to delete the file or directory” which could only be fixed by rebooting the DC.

Default Domain Policy:

Default_Domain_Policy
Default Domain Controller Policy:
Default_Domain_Controller_Policy

Reference:

  • How to manually create Default Domain GPO [Link]
  • Dcgpofix [Link]