One of the main tools to configure user and system settings in Windows is the Group Policy Objects (GPO). Local (these settings are configured locally on the computer) and domain GPOs (if a computer is joined to the Active Directory domain) can be applied to the computer and its users. However, incorrect configuration of some GPO settings can lead to various problems. Group Policy settings can block the connection of USB devices, shared printers and folder, restrict network access by the Windows Defender Firewall rules, block apps and tools from the installing or running (via SPR or AppLocker policies), restrict local or remote logons to a computer.
If you cannot logon to the computer locally, or doesn’t know exactly which of the applied GPO settings causing a problem, you have to use a script to reset the Group Policy settings to their defaults. In a “clean” state, none of the Group Policy settings are configured.
- How to Reset Local Group Policy Editor (Gpedit.msc) Settings to Default?
- Group Policy Files Registry.pol
- Resetting all Local Group Policy Settings at Once on Windows 10/Windows Server 2016
- Reset Local Security Policy Settings to Default in Windows
- Reset Local GPO Settings without Logging in
- How to Clear and Remove Domain-Applied GPO settings?
How to Reset Local Group Policy Editor (Gpedit.msc) Settings to Default?
This method involves using the GUI of the local Group Policy Editor console (gpedit.msc) to disable all configured policy settings. The local GPO graphical editor is available only in Pro, Enterprise and Education Windows 10 editions.
gpedit.msc MMC snap-in and go to the All Settings section (Local Computer Policy -> Computer Configuration – > Administrative templates). This section contains a list of all settings available for configuration in the local administrative GPO templates. Sort policies by the State column and find all configured policies (Disabled or Enabled state). Disable all or some of them by switching them to the Not configured state.
Do the same steps in the User Configuration section. Thus, you can disable all the settings of all settings in the Administrative GPO templates.
gpresult /h c:\PS\GPRreport.html
The above method for resetting Group Policy in Windows is suitable for the simplest cases. Incorrect GPO configuration can lead to more serious problems. For example, the inability to run the
gpedit.msc snap-in or even any program or app, loss of the administrator privileges, or a restrict to logon locally. In such cases, you have to reset the saved GPO settings in local files on your computer.
Group Policy Files Registry.pol
The Windows Group Policy architecture is based on special Registry.pol files. These files store registry settings that correspond to the configured GPO settings. User and Computer policies are stored in different Registry.pol files.
- The computer settings (Computer Configuration section) are stored in
- The user settings (User Configuration section) are stored in
During the startup, the Windows imports the contents of \Machine\Registry.pol to the system registry hive HKEY_LOCAL_MACHINE (HKLM). The contents of the file \User\Registry.pol are imported to the HKEY_CURRENT_USER (HKCU) hive when the user logs in.
When you open the Local GPO Editor Console, it loads the contents of the registry.pol files and shows them in a user-friendly graphical way. When you close the GPO editor, the changes you make are saved to the Registry.pol files. When you update the Group Policy settings on your computer (using the
gpupdate /force command or on a schedule), the new settings applied to the registry.
To remove all current settings for the local GPO, you must remove the Registry.pol files in the GroupPolicy and GroupPolicyUsers folders.
Resetting all Local Group Policy Settings at Once on Windows 10/Windows Server 2016
To force a reset of all current local Group Policy settings, you must delete the Registry.pol files. It is possible to completely delete directories with policy configuration files. You can do it with the following commands, run them in the elevated command prompt:
RD /S /Q "%WinDir%\System32\GroupPolicyUsers"
RD /S /Q "%WinDir%\System32\GroupPolicy"
RD.execommand was removed, so the
RMDIR.execommand must be used to remove directories.
After that, you need to reset the old GPO settings in the registry by applying a clean GPO:
These commands will reset all local Group Policy settings in the Computer Configuration and User Configuration sections.
gpedit.msc and make sure that all policies are in the Not Configured state. After running the gpedit.msc console, deleted
GroupPolicy folders will be created automatically with empty Registry.pol files.
The next time you make changes to Group Policy, Windows will create new Registry.pol files with the new settings.
Reset Local Security Policy Settings to Default in Windows
Local security policies are configured in a separate mmc console –
secpol.msc. If the problems with the computer are caused by “tightening the screws” in the local security settings, and if you still have local access to Windows and administrator rights, it’s better to reset the security policy settings to the default values. To do it, open the
cmd.exe as an administrator and run the following command:
- In Windows 10, Windows 8.1/8 and Windows 7:
secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose
- In Windows XP:
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose
Restart the computer.
If you still have problems with security policies, try manually renaming the checkpoint file of the local security policy database %windir%\security\database\edb.chk.
ren %windir%\security\database\edb.chk edb_old.chk
Run the command:
Restart Windows using the shutdown command:
Shutdown –f –r –t 0
Reset Local GPO Settings without Logging in
If it is impossible to boot/login Windows, the GPSVC service is not running, you don’t have local administrator privileges, or you cannot open the command prompt (for example, apps are blocked by Applocker/SRP policy), just boot your computer from any Windows installation disc, USB flash drive or LiveCD and reset local GPO outside of the installed Windows image.
- Boot your computer from any Windows installation media and open the command prompt (
- Run the command:
- Then display the list of volumes on the computer:
In this case, the drive letter assigned to the system volume corresponds to the system drive C:\. However, sometimes it may not match. So, the commands below must be executed in the context of your system drive (e. g., D:\ or C:\);
- Close diskpart:
- Run the following commands one by one:
RD /S /Q C:\Windows\System32\GroupPolicy
RD /S /Q C:\Windows\System32\GroupPolicyUsers
- Restart the computer in the normal mode and make sure that the local Group Policy settings are reset to their default state.
How to Clear and Remove Domain-Applied GPO settings?
A few words about domain Group Policies. If a computer is joined to an Active Directory domain, some of its settings are set by domain-based GPOs
The registry.pol files of all applied domain Group Policies are stored in the directory %windir%\System32\GroupPolicy\DataStore\0\SysVol\contoso.com\Policies. Each policy is stored in a separate folder with the domain policy GUID. After your computer leaves the AD domain, the registry.pol files of domain Group Policies on the computer will be deleted and won’t be loaded to the registry at startup. However, sometimes, despite removing a computer from the domain, GPO settings can still be applied to the computer.
The following registry keys correspond to these registry.pol files:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects
The versions history of the applied domain GPOs that have been used on the client is located in the following registry keys:
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\
- HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\
The local cache of applied domain GPOs is stored in the C:\ProgramData\Microsoft\Group Policy\History. Delete the files in this directory with the command::
DEL /S /F /Q “%PROGRAMDATA%\Microsoft\Group Policy\History\*.*”
If you need to forcefully remove the domain GPO settings, you need to clean the
%windir%\System32\GroupPolicy\DataStore\0\SysVol\contoso.com\Policies directory and delete the specified registry keys (it is strongly recommended that you backup the deleted files and registry entries!!!) .
gpupdate /force /boot