Restoring Default Domain Policies and SYSVOL to their defaults

We have stated a number of times through a number of forums that its not a great practice to muck around with the Default Domain Policy and the Default Domain Controllers Policy. In fact its actually a really bad practice...same goes with the SYSVOL. Just dont screw around with it.

We recommend if you want to apply policy specifically at the domain level or to your DC's that you create your own policies and put them side by side and dont touch the preexisting ones.

So what happens if you have done this and now want to restore the default policies back?

Theres a tool called DCGPOFix. All this does is restore the Default GPO's back to their defaults. For Windows 2000 you can download it. For Windows Server 2003 and 2008 its built in - so dont download and install the older one. There are a couple of issues here and here that you need to be aware of.

What happens if Ive trashed SYSVOL? 

To (basically) recreate SYSVOL:

1. The best idea is to recreate it from another DC - like this article says.

2. Then assuming its in the default location, restore the security descriptors using this method and restart FRS. Look to this article for assistance

3. Verify its all working with Ultrasound which you can get here SYSVOL is a little more trashed than that??

Im sorry to hear that. Heres the advanced Information to recreate SYSVOL.

If that basic guide doesnt work properly or you dont have a DC to get it from, you will need to do a manual recreation. This isnt easy and is considered last resort information. Heres the guide for it. Essentially this will follow you through a manual step by step guide on how to setup everything in it and get FRS working again. Note that this is FRS, not the newer DFS-R replicator. If you are using DFS-R to replicate SYSVOL - DO NOT use this method as you will likely wreck your SYSVOL. Once it has been switched it has to stay that way.

Hope this helps. Good luck.


Michael Kleef

Program Manager