Problem solve Get help with specific problems with your technologies, process and projects.

Can I revert to default settings in Directory Services restore?

I have a bit of a problem. I was setting security on a brand new DC today and somehow mixed up the Local Security Settings, Domain Controller Security Policy and Domain Security Policy.

And, when I was adding users to log on locally, I forgot to add the administrator account, and now I cannot log on locally to this machine. I can, on the other hand, log onto the machine with the users I added -- but they have insufficient rights to change anything. I even tried to Run AS admin but with no luck.

Is it possible to start in Directory Services restore mode and then maybe revert the settings, or just grant the admin account log on locally permissions, at least?

I often see this recommendation indicated, and it won't work in your case: The utility dcgpofix can restore default GPO's. However, to run dcgpofix, a utility in the %windir%\system32 directory, you need to be a domain administrator. When you log on in safe mode, Active Directory is not running, and you are not a domain administrator, and dcgpofix will fail.

However, there is a possible solution. Knowledge Base article 226243 details a way to replace the user rights section to the default by editing the gpttmpl.inf file of the default policy. Unfortunately, this file is protected, and by default, only administrators have the right to write to this file. If you log on in directory Service Restore mode, you will be able to change the file, or if necessary, take control of the file and then change it. Be sure to follow the directions in the article exactly. Let me know how it works out.

Dig Deeper on Windows 10 security and management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.