Group Policy Object (GPO) is a handy tool for fine-tuning the user and the operating system environment in Windows. Both domain GPOs (if the computer is a member of an Active Directory domain) and local Group Policies (these settings are configured locally on the computer) can be applied to the computer and to the users. Due to incorrect configuration of some GPO settings (most often related to security), you may experience various problems with running applications or tools, operating system errors (up to the impossibility of logging on to Windows locally), etc. If you don’t know which GPO setting is causing the problem, you can reset Windows Group Policy settings to defaults.
- How to Reset Specific Local Group Policy Options with Gpedit.msc
- Reset All Group Policy Settings to Default on Windows with CMD
- Reset Local Security Policy Settings to Default in Windows
- How to Reset Local GPO Settings If You Can’t Logon Windows
- Clear Domain-Applied Group Policy Settings in Windows
- How to Restore Default Domain Group Policies
How to Reset Specific Local Group Policy Options with Gpedit.msc
The graphical Local Group Policy Editor console (gpedit.msc) is used to configure GPO settings on the local computer. This console is only available in the Pro, Enterprise, and Education editions of Windows 10 and 11.
Open the gpedit.mscMMC snap-in and navigate to the All Settings section (Local Computer Policy -> Computer Configuration – > Administrative Templates). This section contains all the options that are available for configuration in the administrative (admx) GPO templates installed on the computer. Sort policies by the State column to find all configured settings (with Disabled or Enabled state).
To disable the specific Group Policy parameter, you must change its state to Not Configured.
In the same way, you can reset the settings in the User Configuration section of the local GPO editor.
This is the easiest way to find and undo applied Local Group Policy settings in Windows
However, incorrect Group Policy GPO settings can prevent the gpedit.msc snap-in (or other programs and tools) from running, may prevent you from logging on to the computer locally, can revoke your local administrator permissions, etc. In such cases, you will need to reset all of the GPO settings in the local files on the computer.
Reset All Group Policy Settings to Default on Windows with CMD
Windows stores local Group Policy settings in the Registry.pol files. The policy settings for the user and the computer are stored in separate POL files.
- The computer settings (Computer Configuration section) are stored in
%SystemRoot%\System32\GroupPolicy\Machine\registry.pol - The user settings (User Configuration section) are stored in
%SystemRoot%\System32\GroupPolicy\User\registry.pol
If you enable certain options in a local GPO from the gpedit.msc console, any changes that you make will be saved to the Registry.pol files. The new settings are imported into the registry and applied to the computer when Group Policy settings are updated (using the gpupdate /force command or by schedule).
- When you start your computer, the registry settings are imported from the
\Machine\Registry.polfile into theHKEY_LOCAL_MACHINE(HKLM) hive; - User settings are imported from the
\User\Registry.polfile into theHKEY_CURRENT_USER(HKCU) registry hive when the user logs on to Windows.
Therefore, to remove the current local Group Policy settings, you must delete the Registry.pol files in the GroupPolicy and GroupPolicyUsers folders. You can delete Registry.pol files and reset the current GPO settings from the command prompt:
RD /S /Q "%WinDir%\System32\GroupPolicyUsers"
RD /S /Q "%WinDir%\System32\GroupPolicy"
Update the settings in the Group Policy to reset the old settings in the registry:
gpupdate /force
These commands will reset all local Group Policy settings in the Computer Configuration and User Configuration sections.
Open the gpedit.msc console and make sure that all the policies are set to ‘Not configured‘. After you have run the gpedit.msc console, the GroupPolicyUsers and GroupPolicydirectories will be automatically re-created.
Reset Local Security Policy Settings to Default in Windows
Local security policies are configured in a separate secpol.mscMMC console. If you want to reset local Windows security policy settings to defaults, run the command:
secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose
alert] The %windir%\inf\defltbase.inf file is a template that contains the default local security settings for Windows. [/alert]
Restart your computer.
This should reset the Windows security settings that are stored under the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System registry key.
Try manually renaming the local security policy base checkpoint file if the previous method did not work:
ren %windir%\security\database\edb.chk edb_old.chk
Update Group Policy settings:
gpupdate /force
Restart Windows using the shutdown command:
Shutdown –f –r –t 0
How to Reset Local GPO Settings If You Can’t Logon Windows
If you can’t log on to Windows locally, or you can’t open the command prompt (for example, if applications are blocked by the AppLocker or Software Restriction policy), you can delete the Registry.pol files by booting from a Windows installation media (a bootable USB flash drive), from any LiveCD, or using the Window Recovery Environment (WinRE).
- Boot your computer from any Windows installation media and open the command prompt (
Shift+F10); - Run the command:
diskpart - Then display the list of volumes on the computer:
list volume
In this case, the drive letter C:\ is assigned to the system drive. The drive letter may be different in your case. For this reason, the following commands need to be executed in the context of your system drive (e. g., D:\ or C:\); - Close diskpart:
exit - Run the following commands:
RD /S /Q C:\Windows\System32\GroupPolicy
RD /S /Q C:\Windows\System32\GroupPolicyUsers
- Restart your computer and check that all local Group Policy settings are reset to their default state.
Clear Domain-Applied Group Policy Settings in Windows
If the computer is part of an Active Directory domain, its settings can be configured using domain GPOs.
The registry.pol files of all applied domain GPOs are cached in the %windir%\System32\GroupPolicy\DataStore\0\SysVol\contoso.com\Policies. Each policy stores its files in a separate directory with a name that includes the GUID of the domain policy.
When you remove a computer from a domain, the registry.pol files of the domain Group Policies should be automatically deleted from the computer. Sometimes it happens that a computer has left the domain, but the domain GPO settings are still applied to it.
In this case, you should clear the domain Group Policy cache on the computer. You can use the following BAT script:
DEL /S /F /Q “%ALLUSERSPROFILE%\Microsoft\Group Policy\History\*.*”
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy /f
REG DELETE HKLM\Software\Policies\Microsoft /f
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f
REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f
REG DELETE HKCU\Software\Policies\Microsoft /f
REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects" /f
DEL /F /Q C:\WINDOWS\security\Database\secedit.sdb
klist purge
gpupdate /force
exit
C:\ProgramData\Microsoft\Group Policy\History folder contains the Group Policy Preference settings that have been applied to the computer.If you have checked the Remove this item if it is no longer applied option in the GP Preferences item options, then the GPO cache in this folder will allow you to revert to the previous state after disabling the policy.
How to Restore Default Domain Group Policies
There are two default GPOs with known GUIDs in the domain:
- Default Domain Policy
{31B2F340-016D-11D2-945F-00C04FB984F9} - Default Domain Controller Policy
{6AC1786C-016F-11D2-945F-00C04FB984F9}
According to Microsoft’s guidelines, these GPOs should not be edited. It is recommended that you create a copy of these policies in the Group Policy Management console (gpmc.msc) and modify the settings as required.
Use the built-in dcgpofix.exe tool to restore these GPOs to their default settings.
Open an elevated command prompt on the DC and run the command:
dcgpofix /target:Domain – reset the Default Domain GPO
dcgpofix /target:DC – reset the Default Domain Controller GPO
Or reset both default GPOs at once:
dcgpofix /target:both
An error may appear:
The Active Directory schema version for this domain and the version supported by this tool do not match. The GPO can be restored using the /ignoreschema command-line parameter. However, it is recommended that you try to obtain an updated version of this tool that might have an updated version of the Active Directory schema. Restoring a GPO with an incorrect schema might result in unpredictable behavior.
In this case, you must add the /ignoreschema option to force a reset of the default GPOs:
dcgpofix /ignoreschema /target:Domain
17 comments
This is absolutely awesome! A Windows knowledge base that:
Didn’t require or suggest (so far as far as I can tell) member registration.
Written in blog form, such that I didn’t have to wade through hours of differing opinions and arguments.
Enabled me, step-by-step, to understand GPO administration within a local OS context (I will also assume I can get domain help, as well).
A clean page layout with minimal marketing interference, such that it appears the site is philanthropic in nature.
I’m in my 50’s, and when I was young and enthused I taught myself how to build & administer desktop PCs, beginning with MS-DOS 3.0, but I never really endeavored to fully understand network administration, beyond peer-to-peer configurations. I lived during the days when a computer virus was a prank, and I even wrote and placed a few benign surprises on my friends’ PCs. However, since the day organized crime began cracking personal and corporate networks for consumer fraud and identity theft I’ve lived in fear, due to my ignorance, when it comes to protecting my personal domain network. I simply no longer have the personal drive or will to sift through the mountains of confused knowledge and opinions (including the TechNet mountain) that usually end up wasting my days away.
Thank you. Can I donate to this site?
You are welcome!
You can donate to our website via PayPal button in sidebar
thank you
I have a computer that will not allow me to log into. There’s a setting in the local policy that requires a smart card to log in that was mistakenly checked. I’ve tried the above methods to reset everything. I haven;t been successful to this point.
Any ideas on how to reset the policies so that I can log in with a local admin?
Thanks,
Jason
Thank you,Thank you Thank youuuuuuuuuu so much, I was fed up from last 10 days cz of some group policy applied bymistake and was not able to find gpo reset command this article saved my life thank you so much………………………….
First of all, my English is weak.
I did it. Thank you very much. My Windows 7_64 Enterprise can now create users with permission for user, before It was only permission for administrate.
Take care.
I used the method. secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose
Thanks for this post 🙂
Very complete and clear article, it helped a lot.
Thanks.
Thank you man!
Hi,
Thanks for the great work and support to windows users.
i set a group policy to my computer using GPEDIT.MSC and forget to include the gpedit it’s self to unlock later, but when i closed the application everything else was locked except the app (word) that i allowed to open. even the GPEDIT.MSC is not opening. I am Stuck, is there a way to reset and remove the whole Group Policy.
You need to boot your device from any bootable disk / LiveCD / Windows 10 install disk and manually delete the files in the folders:
“d:\windows\System32\GroupPolicyUsers”
“d:\windows\System32\GroupPolicy”
Then just restart your computer and all Group Policy settings will be reset.
Thanks guys.
I really appreciate the effort but i found another Backdoor of Opening the MMC then Gpedit and i disabled.
Thanks
Nor Omar
I have an issue where I’ve been messing about with some settings using the local group policy and an additional template. This template worked well but when I went to remove the settings, the effect of the policy was not reversed and I noticed that the registry settings that had applied were not removed.
Any ideas? These registry settings can be removed manually but I would need to take ownership of every key and remove individually.
I have tried the following commands but still no luck:
RD /S /Q “%WinDir%\System32\GroupPolicyUsers”
RD /S /Q “%WinDir%\System32\GroupPolicy”
Thanks
Same I just tried and rd is a command not found. Perhaps we can add an env var to path via cmd to enable rd, which env var is it?
Perhaps we can add an env var to path via cmd to enable rd, which env var is it?
You can use the rmdir command instead of rd.