Group Policy Object (GPO) is a handy tool for fine-tuning the user and the operating system environment in Windows. Both domain GPOs (if the computer is a member of an Active Directory domain) and local Group Policies (these settings are configured locally on the computer) can be applied to the computer and to the users. Due to incorrect configuration of some GPO settings (most often related to security), you may experience various problems with running applications or tools, operating system errors (up to the impossibility of logging on to Windows locally), etc. If you don’t know which GPO setting is causing the problem, you can reset Windows Group Policy settings to defaults.
- How to Reset Specific Local Group Policy Options with Gpedit.msc
- Reset All Group Policy Settings to Default on Windows with CMD
- Reset Local Security Policy Settings to Default in Windows
- How to Reset Local GPO Settings If You Can’t Logon Windows
- Clear Domain-Applied Group Policy Settings in Windows
- How to Restore Default Domain Group Policies
How to Reset Specific Local Group Policy Options with Gpedit.msc
The graphical Local Group Policy Editor console (
gpedit.msc) is used to configure GPO settings on the local computer. This console is only available in the Pro, Enterprise, and Education editions of Windows 10 and 11.
gpedit.mscMMC snap-in and navigate to the All Settings section (Local Computer Policy -> Computer Configuration – > Administrative Templates). This section contains all the options that are available for configuration in the administrative (admx) GPO templates installed on the computer. Sort policies by the State column to find all configured settings (with Disabled or Enabled state).
To disable the specific Group Policy parameter, you must change its state to Not Configured.
In the same way, you can reset the settings in the User Configuration section of the local GPO editor.
This is the easiest way to find and undo applied Local Group Policy settings in Windows
However, incorrect Group Policy GPO settings can prevent the gpedit.msc snap-in (or other programs and tools) from running, may prevent you from logging on to the computer locally, can revoke your local administrator permissions, etc. In such cases, you will need to reset all of the GPO settings in the local files on the computer.
Reset All Group Policy Settings to Default on Windows with CMD
Windows stores local Group Policy settings in the Registry.pol files. The policy settings for the user and the computer are stored in separate POL files.
- The computer settings (Computer Configuration section) are stored in
- The user settings (User Configuration section) are stored in
If you enable certain options in a local GPO from the gpedit.msc console, any changes that you make will be saved to the Registry.pol files. The new settings are imported into the registry and applied to the computer when Group Policy settings are updated (using the
gpupdate /force command or by schedule).
- When you start your computer, the registry settings are imported from the
\Machine\Registry.polfile into the
- User settings are imported from the
\User\Registry.polfile into the
HKEY_CURRENT_USER(HKCU) registry hive when the user logs on to Windows.
Therefore, to remove the current local Group Policy settings, you must delete the Registry.pol files in the GroupPolicy and GroupPolicyUsers folders. You can delete Registry.pol files and reset the current GPO settings from the command prompt:
RD /S /Q "%WinDir%\System32\GroupPolicyUsers"
RD /S /Q "%WinDir%\System32\GroupPolicy"
Update the settings in the Group Policy to reset the old settings in the registry:
These commands will reset all local Group Policy settings in the Computer Configuration and User Configuration sections.
gpedit.msc console and make sure that all the policies are set to ‘Not configured‘. After you have run the gpedit.msc console, the
GroupPolicydirectories will be automatically re-created.
Reset Local Security Policy Settings to Default in Windows
Local security policies are configured in a separate
secpol.mscMMC console. If you want to reset local Windows security policy settings to defaults, run the command:
secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose
%windir%\inf\defltbase.inf file is a template that contains the default local security settings for Windows. [/alert]
Restart your computer.
This should reset the Windows security settings that are stored under the
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System registry key.
Try manually renaming the local security policy base checkpoint file if the previous method did not work:
ren %windir%\security\database\edb.chk edb_old.chk
Update Group Policy settings:
Restart Windows using the shutdown command:
Shutdown –f –r –t 0
How to Reset Local GPO Settings If You Can’t Logon Windows
If you can’t log on to Windows locally, or you can’t open the command prompt (for example, if applications are blocked by the AppLocker or Software Restriction policy), you can delete the Registry.pol files by booting from a Windows installation media (a bootable USB flash drive), from any LiveCD, or using the Window Recovery Environment (WinRE).
- Boot your computer from any Windows installation media and open the command prompt (
- Run the command:
- Then display the list of volumes on the computer:
In this case, the drive letter C:\ is assigned to the system drive. The drive letter may be different in your case. For this reason, the following commands need to be executed in the context of your system drive (e. g., D:\ or C:\);
- Close diskpart:
- Run the following commands:
RD /S /Q C:\Windows\System32\GroupPolicy
RD /S /Q C:\Windows\System32\GroupPolicyUsers
- Restart your computer and check that all local Group Policy settings are reset to their default state.
Clear Domain-Applied Group Policy Settings in Windows
If the computer is part of an Active Directory domain, its settings can be configured using domain GPOs.
The registry.pol files of all applied domain GPOs are cached in the %windir%\System32\GroupPolicy\DataStore\0\SysVol\contoso.com\Policies. Each policy stores its files in a separate directory with a name that includes the GUID of the domain policy.
When you remove a computer from a domain, the registry.pol files of the domain Group Policies should be automatically deleted from the computer. Sometimes it happens that a computer has left the domain, but the domain GPO settings are still applied to it.
In this case, you should clear the domain Group Policy cache on the computer. You can use the following BAT script:
DEL /S /F /Q “%ALLUSERSPROFILE%\Microsoft\Group Policy\History\*.*”
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy /f
REG DELETE HKLM\Software\Policies\Microsoft /f
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f
REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies /f
REG DELETE HKCU\Software\Policies\Microsoft /f
REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects" /f
DEL /F /Q C:\WINDOWS\security\Database\secedit.sdb
C:\ProgramData\Microsoft\Group Policy\History folder contains the Group Policy Preference settings that have been applied to the computer.
If you have checked the Remove this item if it is no longer applied option in the GP Preferences item options, then the GPO cache in this folder will allow you to revert to the previous state after disabling the policy.
How to Restore Default Domain Group Policies
There are two default GPOs with known GUIDs in the domain:
- Default Domain Policy
- Default Domain Controller Policy
According to Microsoft’s guidelines, these GPOs should not be edited. It is recommended that you create a copy of these policies in the Group Policy Management console (
gpmc.msc) and modify the settings as required.
Use the built-in dcgpofix.exe tool to restore these GPOs to their default settings.
Open an elevated command prompt on the DC and run the command:
dcgpofix /target:Domain – reset the Default Domain GPO
dcgpofix /target:DC – reset the Default Domain Controller GPO
Or reset both default GPOs at once:
An error may appear:
The Active Directory schema version for this domain and the version supported by this tool do not match. The GPO can be restored using the /ignoreschema command-line parameter. However, it is recommended that you try to obtain an updated version of this tool that might have an updated version of the Active Directory schema. Restoring a GPO with an incorrect schema might result in unpredictable behavior.
In this case, you must add the /ignoreschema option to force a reset of the default GPOs:
dcgpofix /ignoreschema /target:Domain