Article ID: 226243 - View products that this article applies to.
This article was previously published under Q226243
NoticeThis article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center
(https://support.microsoft.com/?scid=http%3a%2f%2fsupport.microsoft.com%2fwin2000)is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy
The default Domain Group Policy object (GPO) contains many default security settings. Sometimes, changing the default settings may produce unwanted effects. Unwanted effects may also result if the contents of the Sysvol folder are manually rebuilt or are restored from a backup.
This article describes how to reset security settings in the default Domain GPO. The default security policy settings are reset by editing the Gpttmpl.inf file that is located in the Sysvol folder.
This is to be done with caution. A damaged Gpttmpl.inf file may make your domain controller inoperable. After you complete this procedure, any configured settings in the default Domain GPO will be lost, and you will have to re-configure and re-apply your required settings.
This step-by-step article describes how to reset the default security settings in the Domain GPO. The Domain GPO uses a template, and, by default, it enables default security settings that are related to account policy only. None of the other settings are enabled initially. You can change these default settings by using the Group Policy Object Editor to modify individual settings in the Security Settings container under Computer Management\Windows Settings.
Sometimes, changing the default settings or enabling or disabling other settings may produce unwanted effects. This may result in a condition where unexpected restrictions exist on user accounts. If the changes are unexpected, or if the changes were not recorded so that you do not know what changes were made, it may be necessary to reset these security settings to their defaults.
This situation may also result if the contents of the Sysvol folder are manually rebuilt or if they are restored from a backup by using the steps that are included in Microsoft Knowledge Base article 253268: For more information, click the following article number to view the article in the Microsoft Knowledge Base:
(https://support.microsoft.com/kb/253268/ )Group policy error message when appropriate Sysvol contents are missing
Increment the GPO versionIncrement the GPO version to make sure that the policy changes are retained. To do this, use one of the following methods.
Apply the new GPOApply the new GPO by using the Secedit tool to manually update the GPO. To do so, type secedit /refreshpolicy machine_policy /enforce at a command prompt, and then press ENTER. Then, check the application log in Event Viewer for Event 1704 to verify successful policy propagation.
Note After you perform this procedure, your previously configured Group Policy settings will be removed. You have to re-configure and re-apply these settings by using Group Policy Object Editor.
For more information about how to refresh Group Policy settings, click the following article number to view the article in the Microsoft Knowledge Base:
227448For more information about how to reset user rights in the default Domain Controllers GPO, click the following article number to view the article in the Microsoft Knowledge Base:
(https://support.microsoft.com/kb/227448/ )Using Secedit.exe to force Group Policy to be applied again
(https://support.microsoft.com/kb/267553/ )How to reset user rights in the Default Domain Controllers Group Policy object
Article ID: 226243 - Last Review: October 31, 2006 - Revision: 4.5