One of the main tools to configure user and system settings in Windows is the group policies (GPO). The domain (if a computer is in the domain) or local (those set and active only on the given computer) Group Policies can influence this computer and its users. The Group Policies are a fine means to configure a system able to increase its performance and security. However, the novice system administrators, who decided to make some experiments on the security of their computers, can configure a local (or a domain) group policy incorrectly and encounter different problems, starting from minor ones, like inability to mount a printer or a USB flash-drive, or a complete prohibition to install or run any applications or even to the prohibition to log on to the system.
In such cases usually worsened with the fact that the administrator just doesn’t know which of the applied policies causes the problem, it is necessary to reset the local group policies setiings to their default state with neither of the group policy parameters set.
How to Reset the Local Group Policies Using Gpedit.msc Console
Open the Local Group Policy Management console gpedit.msc.
Go to All Settings section in the local system security policies (Local Computer Policy -> Computer Configuration – > Administrative templates). This section contains the list of all policies available for configuration in the administrative templates. Filter the policies in the State column and find all active policies (Disabled or Enabled). Disable all or some of them by making them Not configured.
Do the same in the user policies section (User Configuration). Thus you can disable all administrative group policies.
This means to reset the group policies in Windows is suitable for the simplest cases. Incorrect configuration of the group policies can result in more serious problems, like inability to start gpedit.msc snap-in or all apps in the system, the loss of the administrator privileges by the user, or a prohibition to log on. Let’s consider these cases in detail.
How to Reset Local Security Policies in Windows
Local security policies are configured in a separate mmc console – secpol.msc. If the problems with the computer are caused by tightening the screws in the local security settings and the user has retained the access to the system and the administrative rights, first, it’s better to reset the security settings to their default values. To do it, under the administrator privileges run the following command in the command line:
In Windows XP:
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose
In Windows 8, Windows 7, Vista:
secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose
After that restart the computer.
A «Hard» Way to Reset Group Policies Settings in Windows to Their Default Values
Prior to talking about the radical way to reset the Group Policies in Windows, let’s get an insight into the architecture of the administrative templates of Windows GPO.
The architecture of the administrative templates of the group policies is based on the special files Registry.pol. These files store the registry settings that correspond to the certain settings of the configured group policies. The user and computer policies are kept in different Registry.pol files.
- The computer settings (Computer Configuration section) are stored in %SystemRoot%\System32\ GroupPolicy\Machine\registry.pol
- The user settings (User Configuration section) are stored in %SystemRoot%\System32\ GroupPolicy\User\registry.pol
During the startup, the system exports the contents of \Machine\Registry.pol to the branch HKEY_LOCAL_MACHINE (HKLM) of the system registry. The contents of the file \User\Registry.pol is exported to the branch HKEY_CURRENT_USER (HKCU) when a user logs in the system.
The Local Group Policy Editor when started loads the contents of these files and shows it to the user in a convenient way. After the GPO Editor is closed, the changes are saved in the registry.
To reset all current settings of the local group policies, Registry.pol files in the GroupPolicy folder have to be deleted. You can do it with the following commands run in the command line under the administrator privileges:
1 2 3
RD /S /Q "%WinDir%\System32\GroupPolicyUsers" RD /S /Q "%WinDir%\System32\GroupPolicy" gpupdate /force
How to Reset Local Security Policies If It Is Impossible to Log on to Windows
If it is impossible to log on to the system locally or you can’t run the command line (e. g., when it or some other apps are locked with Applocker), you can delete Registry.pol files having booted from any Windows installation disk or a LiveCD.
- Boot from Windows installation disk and run the command line (Shift+F10)
- Run the command:
- Then display the list of volumes in the system:
In this case, the letter assigned to the system disk corresponds to the letter of the system – C:\. However, sometimes these can be different. So the following commands have to be run in the context of your system disk (e. g., D:\ or C:\)
- Finish working with diskpart by running:
- Run the following commands one by one:
RD /S /Q С:\Windows\System32\GroupPolicy RD /S /Q С:\Windows\System32\GroupPolicyUsers
- Restart the computer in the normal mode and make sure that the local group policies are reset to their default values.