Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Group Policies / Reset Local Group Policy Settings in Windows

October 28, 2020 Group PoliciesWindows 10Windows Server 2016

Reset Local Group Policy Settings in Windows

One of the main tools to configure user and system settings in Windows is the Group Policy Objects (GPO). Local (these settings are configured locally on the computer) and domain GPOs (if a computer is joined to the Active Directory domain) can be applied to the computer and its users. However, incorrect configuration of some GPO settings can lead to various problems. Group Policy settings can block the connection of USB devices, shared printers and folder, restrict network access by the Windows Defender Firewall rules, block apps and tools from the installing or running (via SPR or AppLocker policies), restrict local or remote logons to a computer.

If you cannot logon to the computer locally, or doesn’t know exactly which of the applied GPO settings causing a problem, you have to use a script to reset the Group Policy settings to their defaults. In a “clean” state, none of the Group Policy settings are configured.

In this article we show several methods for resetting the settings of local and domain Group Policies to default values. This guide can be used to reset GPO settings on all supported Windows versions: from Windows 7 to Windows 10, as well as all versions of Windows Server (2008/R2, 2012/R2, 2016 and 2019).

Contents:
  • How to Reset Local Group Policy Editor (Gpedit.msc) Settings to Default?
  • Group Policy Files Registry.pol
  • Resetting all Local Group Policy Settings at Once on Windows 10/Windows Server 2016
  • Reset Local Security Policy Settings to Default in Windows
  • Reset Local GPO Settings without Logging in
  • How to Clear and Remove Domain-Applied GPO settings?

How to Reset Local Group Policy Editor (Gpedit.msc) Settings to Default?

This method involves using the GUI of the local Group Policy Editor console (gpedit.msc) to disable all configured policy settings. The local GPO graphical editor is available only in Pro, Enterprise and Education Windows 10 editions.

Tip. In the Home editions of Windows, the Local Group Policy Editor console (gpedit.msc) is missing.

Run the gpedit.msc MMC snap-in and go to the All Settings section (Local Computer Policy -> Computer Configuration – > Administrative templates). This section contains a list of all settings available for configuration in the local administrative GPO templates. Sort policies by the State column and find all configured policies (Disabled or Enabled state). Disable all or some of them by switching them to the Not configured state.

Disable local GPO Settings with gpedit.msc

You can use the LGPO.exe tool from Security Compliance Manager to backup the current local GPO settings.

Do the same steps in the User Configuration section. Thus, you can disable all the settings of all settings in the Administrative GPO templates.

Tip. A list of all applied local and domain policy settings in a convenient HTML report form can be obtained with the built-in GPResult tool:
gpresult /h c:\PS\GPRreport.html

The above method for resetting Group Policy in Windows is suitable for the simplest cases. Incorrect GPO configuration can lead to more serious problems. For example, the inability to run the gpedit.msc snap-in or even any program or app, loss of the administrator privileges, or a restrict to logon locally. In such cases, you have to reset the saved GPO settings in local files on your computer.

Group Policy Files Registry.pol

The Windows Group Policy architecture is based on special Registry.pol files. These files store registry settings that correspond to the configured GPO settings. User and Computer policies are stored in different Registry.pol files.

  • The computer settings (Computer Configuration section) are stored in %SystemRoot%\System32\GroupPolicy\Machine\registry.pol
  • The user settings (User Configuration section) are stored in %SystemRoot%\System32\GroupPolicy\User\registry.pol

registry.pol file with configured gpo settings

During the startup, the Windows imports the contents of \Machine\Registry.pol to the system registry hive HKEY_LOCAL_MACHINE (HKLM). The contents of the file \User\Registry.pol are imported to the HKEY_CURRENT_USER (HKCU) hive when the user logs in.

When you open the Local GPO Editor Console, it loads the contents of the registry.pol files and shows them in a user-friendly graphical way. When you close the GPO editor, the changes you make are saved to the Registry.pol files. When you update the Group Policy settings on your computer (using the gpupdate /force command or on a schedule), the new settings applied to the registry.

Tip. To make changes to the Registry.pol files, you should only use the local GPO Editor console. It is not recommended to edit Registry.pol files manually or using the older versions of Group Policy Editor!

To remove all current settings for the local GPO, you must remove the Registry.pol files in the GroupPolicy and GroupPolicyUsers folders.

Resetting all Local Group Policy Settings at Once on Windows 10/Windows Server 2016

To force a reset of all current local Group Policy settings, you must delete the Registry.pol files. It is possible to completely delete directories with policy configuration files. You can do it with the following commands, run them in the elevated command prompt:

RD /S /Q "%WinDir%\System32\GroupPolicyUsers"
RD /S /Q "%WinDir%\System32\GroupPolicy"

In Windows 10 2004, the RD.exe command was removed, so the RMDIR.exe command must be used to remove directories.

After that, you need to reset the old GPO settings in the registry by applying a clean GPO:

gpupdate /force

reset local gpo setting with cmd

These commands will reset all local Group Policy settings in the Computer Configuration and User Configuration sections.

Open the gpedit.msc and make sure that all policies are in the Not Configured state. After running the gpedit.msc console, deleted GroupPolicyUsers and GroupPolicy folders will be created automatically with empty Registry.pol files.

all gpo settings in default state: not configured

The next time you make changes to Group Policy, Windows will create new Registry.pol files with the new settings.

Reset Local Security Policy Settings to Default in Windows

Local security policies are configured in a separate mmc console – secpol.msc. If the problems with the computer are caused by “tightening the screws” in the local security settings, and if you still have local access to Windows and administrator rights, it’s better to reset the security policy settings to the default values. To do it, open the cmd.exe as an administrator and run the following command:

  • In Windows 10, Windows 8.1/8 and Windows 7: secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose
  • In Windows XP: secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

secedit reset security settings in defltbase.sdb

Restart the computer.

If you still have problems with security policies, try manually renaming the checkpoint file of the local security policy database %windir%\security\database\edb.chk.

ren %windir%\security\database\edb.chk edb_old.chk

reset security database: edb.chk

Run the command:
gpupdate /force

Restart Windows using the shutdown command:
Shutdown –f –r –t 0

Reset Local GPO Settings without Logging in

If it is impossible to boot/login Windows, the GPSVC service is not running, you don’t have local administrator privileges, or you cannot open the command prompt (for example, apps are blocked by Applocker/SRP policy), just boot your computer from any Windows installation disc, USB flash drive or LiveCD and reset local GPO outside of the installed Windows image.

  1. Boot your computer from any Windows installation media and open the command prompt (Shift+F10);
  2. Run the command:
    diskpart
  3. Then display the list of volumes on the computer:
    list volume
    In this case, the drive letter assigned to the system volume corresponds to the system drive C:\. However, sometimes it may not match. So, the commands below must be executed in the context of your system drive (e. g., D:\ or C:\);
  4. Close diskpart:
    exit
  5. Run the following commands one by one: Reset Windows 7 GPO Settings. Boot from CD
    RD /S /Q C:\Windows\System32\GroupPolicy
    RD /S /Q C:\Windows\System32\GroupPolicyUsers
  6. Restart the computer in the normal mode and make sure that the local Group Policy settings are reset to their default state.

How to Clear and Remove Domain-Applied GPO settings?

A few words about domain Group Policies. If a computer is joined to an Active Directory domain, some of its settings are set by domain-based GPOs

The registry.pol files of all applied domain Group Policies are stored in the directory %windir%\System32\GroupPolicy\DataStore\0\SysVol\contoso.com\Policies. Each policy is stored in a separate folder with the domain policy GUID. After your computer leaves the AD domain, the registry.pol files of domain Group Policies on the computer will be deleted and won’t be loaded to the registry at startup. However, sometimes, despite removing a computer from the domain, GPO settings can still be applied to the computer.

reset domain gpo on a local computer

The following registry keys correspond to these registry.pol files:

  • HKLM\Software\Policies\Microsoft
  • HKCU\Software\Policies\Microsoft
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies

The versions history of the applied domain GPOs that have been used on the client is located in the following registry keys:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\

The local cache of applied domain GPOs is stored in the C:\ProgramData\Microsoft\Group Policy\History. Delete the files in this directory with the command::

DEL /S /F /Q “%PROGRAMDATA%\Microsoft\Group Policy\History\*.*”

If you need to forcefully remove the domain GPO settings, you need to clean the %windir%\System32\GroupPolicy\DataStore\0\SysVol\contoso.com\Policies directory and delete the specified registry keys (it is strongly recommended that you backup the deleted files and registry entries!!!) .

gpupdate /force /boot

Tip. The ways discussed above allow you to reset all local GPO settings in Windows versions. All settings made with the Group Policy Editor will reset. However, the changes made directly into the registry with the regedit.exe, REG files, domain registry GPP or in any other way are not reset.

17 comments
1
Facebook Twitter Google + Pinterest
previous post
Remote Desktop Services Is Currently Busy
next post
How to Check the PowerShell Version Installed?

Related Reading

Using Previous Command History in PowerShell Console

January 31, 2023

How to Install the PowerShell Active Directory Module...

January 31, 2023

Enable Internet Explorer (IE) Compatibility Mode in Microsoft...

January 27, 2023

How to Disable or Uninstall Internet Explorer (IE)...

January 26, 2023

How to Delete Old User Profiles in Windows?

January 25, 2023

17 comments

Steve Prester June 4, 2015 - 7:49 pm

This is absolutely awesome! A Windows knowledge base that:

Didn’t require or suggest (so far as far as I can tell) member registration.
Written in blog form, such that I didn’t have to wade through hours of differing opinions and arguments.
Enabled me, step-by-step, to understand GPO administration within a local OS context (I will also assume I can get domain help, as well).
A clean page layout with minimal marketing interference, such that it appears the site is philanthropic in nature.

I’m in my 50’s, and when I was young and enthused I taught myself how to build & administer desktop PCs, beginning with MS-DOS 3.0, but I never really endeavored to fully understand network administration, beyond peer-to-peer configurations.  I lived during the days when a computer virus was a prank, and I even wrote and placed a few benign surprises on my friends’ PCs.  However, since the day organized crime began cracking personal and corporate networks for consumer fraud and identity theft I’ve lived in fear, due to my ignorance, when it comes to protecting my personal domain network.  I simply no longer have the personal drive or will to sift through the mountains of confused knowledge and opinions (including the TechNet mountain) that usually end up wasting my days away.
Thank you.  Can I donate to this site?

Reply
Max June 5, 2015 - 10:25 am

You are welcome!
You can donate to our website via PayPal button in sidebar

Reply
Carl November 5, 2015 - 11:06 am

thank you

Reply
Jason February 1, 2016 - 2:35 am

I have a computer that will not allow me to log into. There’s a setting in the local policy that requires a smart card to log in that was mistakenly checked. I’ve tried the above methods to reset everything. I haven;t been successful to this point. 

Any ideas on how to reset the policies so that I can log in with a local admin? 

Thanks, 

Jason

Reply
JD July 28, 2016 - 7:20 am

Thank you,Thank you Thank youuuuuuuuuu so much, I was fed up from last 10 days cz of some group policy applied bymistake and was not able to find gpo reset command this article saved my life thank you so much………………………….

Reply
Marcos September 8, 2016 - 5:20 pm

First of all, my English is weak.
I did it. Thank you very much. My Windows 7_64 Enterprise can now create users with permission for user, before It was only permission for administrate.
 Take care.

Reply
Marcos September 8, 2016 - 5:20 pm

I used the method. secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose

Reply
Max February 21, 2018 - 6:32 am

Thanks for this post 🙂

Reply
PM August 15, 2018 - 8:11 am

Very complete and clear article, it helped a lot.

Thanks.

Reply
Marx G January 16, 2019 - 4:01 pm

Thank you man!

Reply
Nor Omar March 3, 2019 - 8:08 am

Hi,
Thanks for the great work and support to windows users.
i set a group policy to my computer using GPEDIT.MSC and forget to include the gpedit it’s self to unlock later, but when i closed the application everything else was locked except the app (word) that i allowed to open. even the GPEDIT.MSC is not opening. I am Stuck, is there a way to reset and remove the whole Group Policy.

Reply
admin March 5, 2019 - 12:16 pm

You need to boot your device from any bootable disk / LiveCD / Windows 10 install disk and manually delete the files in the folders:
“d:\windows\System32\GroupPolicyUsers”
“d:\windows\System32\GroupPolicy”
Then just restart your computer and all Group Policy settings will be reset.

Reply
Nor Omar March 5, 2019 - 1:14 pm

Thanks guys.
I really appreciate the effort but i found another Backdoor of Opening the MMC then Gpedit and i disabled.

Thanks
Nor Omar

Reply
Steve April 15, 2019 - 3:53 pm

I have an issue where I’ve been messing about with some settings using the local group policy and an additional template. This template worked well but when I went to remove the settings, the effect of the policy was not reversed and I noticed that the registry settings that had applied were not removed.
Any ideas? These registry settings can be removed manually but I would need to take ownership of every key and remove individually.
I have tried the following commands but still no luck:
RD /S /Q “%WinDir%\System32\GroupPolicyUsers”
RD /S /Q “%WinDir%\System32\GroupPolicy”
Thanks

Reply
Zapperman September 12, 2020 - 1:16 pm

Same I just tried and rd is a command not found. Perhaps we can add an env var to path via cmd to enable rd, which env var is it?

Reply
Zapperman September 12, 2020 - 1:16 pm

Perhaps we can add an env var to path via cmd to enable rd, which env var is it?

Reply
admin September 17, 2020 - 5:21 pm

You can use the rmdir command instead of rd.

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023
  • Adding Trusted Root Certificates on Linux

    January 9, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Allow RDP Access to Domain Controller for Non-admin Users
  • How to Hide or Show User Accounts from Login Screen on Windows 10/11?
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • How to Refresh AD Groups Membership without Reboot/Logoff?
  • Changing Desktop Background Wallpaper in Windows through GPO
  • How to Disable NetBIOS and LLMNR Protocols in Windows Using GPO?
  • How to Disable NTLM Authentication in Windows Domain?
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top