The default Domain Group Policy object (GPO) contains many default security settings. Sometimes, changing the default settings may produce unwanted effects. Unwanted effects may also result if the contents of the Sysvol folder are manually rebuilt or are restored from a backup.
This article describes how to reset security settings in the default Domain GPO. The default security policy settings are reset by editing the Gpttmpl.inf file that is located in the Sysvol folder.
This is to be done with caution. A damaged Gpttmpl.inf file may make your domain controller inoperable.After you complete this procedure, any configured settings in the default Domain GPO will be lost, and you will have to re-configure and re-apply your required settings.
This step-by-step article describes how to reset the default security settings in the Domain GPO. The Domain GPO uses a template, and, by default, it enables default security settings that are related to account policy only. None of the other settings are enabled initially. You can change these default settings by using the Group Policy Object Editor to modify individual settings in the Security Settings container under Computer Management\Windows Settings.
Sometimes, changing the default settings or enabling or disabling other settings may produce unwanted effects. This may result in a condition where unexpected restrictions exist on user accounts. If the changes are unexpected, or if the changes were not recorded so that you do not know what changes were made, it may be necessary to reset these security settings to their defaults.
This situation may also result if the contents of the Sysvol folder are manually rebuilt or if they are restored from a backup by using the steps that are included in Microsoft Knowledge Base article 253268:For more information, click the following article number to view the article in the Microsoft Knowledge Base:
253268 Group policy error message when appropriate Sysvol contents are missing
Reset the default settings in the Gpttmpl.inf file
Warning Use caution when you perform the following procedure because incorrectly configuring the GPO template may make your domain controller inoperable. Before you follow these steps, you must make a backup of the Gpttmpl.inf file. You must also make sure to edit the Gpttmpl.inf file under this specific GUID or path. Under another GUID, there is a similar Gpttmpl.inf file that controls user settings of the domain controller’s Group Policy settings.
Log on to Directory Services Restore mode.
Open the Gpttmpl.inf file with a text editor, such as Notepad. This file is located in the following folder, where sysvol path is the path of your Sysvol folder. The default path for the Sysvol folder is %SystemRoot@\Sysvol.
To completely reset the security settings to the default settings, replace the existing information in the Gpttmpl.inf file with the following default information that you can copy and paste into your current Gpttmpl.inf file:
Increment the GPO version to make sure that the policy changes are retained. To do this, use one of the following methods.
Method 1: Use Group Policy Object Editor
Open Group Policy Object Editor.
Make a change.
Close Group Policy Object Editor.
Method 2: Manually edit the Gpt.ini file
To manually increase the GPO version, edit the Gpt.ini file that controls the Group Policy Template version numbers. To do this:
Open the Gpt.ini file with a text editor, such as Notepad. This file is located in the following folder, where sysvol path is the path of your Sysvol folder. The default path for the Sysvol folder is %SystemRoot@\Sysvol.
Increase the version number to a number that is large enough to guarantee that normal replication will not make the new version number become outdated before the policy can be reset. It is better to increment the number by either adding the number "0" to the end of the version number, or the number "1" to the beginning of the version number.
Save the Gpt.ini file, and then close it.
Apply the new GPO
Apply the new GPO by using the Secedit tool to manually update the GPO. To do so, type secedit /refreshpolicy machine_policy /enforce at a command prompt, and then press ENTER. Then, check the application log in Event Viewer for Event 1704 to verify successful policy propagation.
Note After you perform this procedure, your previously configured Group Policy settings will be removed. You have to re-configure and re-apply these settings by using Group Policy Object Editor.
For more information about how to refresh Group Policy settings, click the following article number to view the article in the Microsoft Knowledge Base:
227448 Using Secedit.exe to force Group Policy to be applied again
For more information about how to reset user rights in the default Domain Controllers GPO, click the following article number to view the article in the Microsoft Knowledge Base:
267553 How to reset user rights in the Default Domain Controllers Group Policy object