One of the main tools to configure user and system settings in Windows is the Group Policy Objects (GPO). Local and domain policies (if a computer is in the Active Directory domain) can be applied to the computer and its users. The Group Policies are an excellent means to configure a system and able to increase its performance and security. However, the novice system administrators, who decided to make some experiments on the security of their computers, can configure some settings of a local (or a domain) GP incorrectly and encounter different problems.
In such cases, when an you cannot log on locally or don’t know exactly which of the applied policy settings causing a problem, you have to use the script to reset the Group Policy settings to default state. In the “clean” state none of the group policy settings are specified.
In this article we show several methods for resetting the settings of local and domain group policy to default values. This instruction is universal and can be used to reset the GPO settings on all supported versions of Windows: starting with Windows 7 and ending with Windows 10, and for all versions of Windows Server (2008 / R2, 2012 / R2 and 2016).
How to Reset the Local Group Policies Using Gpedit.msc Console
This method involves using the GUI of the local Group Policy Editor console (gpedit.msc) to disable all configured policies. The graphical local GPO editor is available only in Pro, Enterprise and Education Windows editions.
Tip. In the Home editions of Windows, the Local Group Policy Editor console is missing.
Run the gpedit.msc snap-in and go to the All Settings section (Local Computer Policy -> Computer Configuration – > Administrative templates). This section contains a list of all policies available for configuration in the local administrative templates. Sort policies by the State column and find all active policies (Disabled or Enabled state). Turn off all or some of them by switching them to the Not configured state.
Do the same steps in the User Configuration section. Thus, you can turn off all the settings of the administrative GPO templates.
gpresult /h c:\PS\GPRreport.htmlThe above method of resetting group policies in Windows is suitable for the simplest cases. Incorrect configuration of the Group Policies can result in more serious problems, like inability to start gpedit.msc snap-in or even all programs, the loss of the administrator privileges, or a restrict to local logon. Let’s consider these cases in more detail.
Reset all Local Group Policies Settings to Default from Command Prompt
This section describes how to forcefully reset all current Group Policy settings in Windows. However, first we will describe some of the principles of the operation of administrative group policy templates in Windows.
The architecture of the group policy is based on special Registry.pol files. These files store registry settings that correspond to the configured group policy settings. User and Computer policies are stored in different Registry.pol files.
- The computer settings (Computer Configuration section) are stored in %SystemRoot%\System32\ GroupPolicy\Machine\registry.pol
- The user settings (User Configuration section) are stored in %SystemRoot%\System32\ GroupPolicy\User\registry.pol
During the startup, the system imports the contents of \Machine\Registry.pol to the system registry key HKEY_LOCAL_MACHINE (HKLM). The contents of the file \User\Registry.pol are imported to the HKEY_CURRENT_USER (HKCU) when a user logs on to the system.
The Local Group Policy Editor when started, loads the contents of these files and shows it in a user-friendly graphical way. When you close the GPO editor, the changes you make are written to the Registry.pol files. After updating the group policies (using the gpupdate /force command or on a schedule), the new settings fall into the registry.
To reset all current settings of the local group policies, you must delete the Registry.pol files in the GroupPolicy directory. You can do it with the following commands, run them in the command prompt with the administrator privileges:
RD /S /Q "%WinDir%\System32\GroupPolicyUsers"
RD /S /Q "%WinDir%\System32\GroupPolicy"
After that, you need to update the policy settings in the registry:
gpupdate /force
These commands will reset all local group policy settings in the Computer Configuration and User Configuration sections.
Open the gpedit.msc and make sure that all policies are in the Not Configured state. After running the gpedit.msc console, deleted folders will be created automatically with the default settings.
How to Reset Local Security Policies in Windows
Local security policies are configured in a separate mmc console – secpol.msc. If the problems with the computer are caused by “tightening the screws” in the local security settings and the user has retained the access to the system and the administrative privileges, first, it’s better to reset the security settings to the default values. To do it, under the administrator run the following command:
- In Windows 10, Windows 8.1/8 and Windows 7:
secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose - In Windows XP:
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose
After that restart the computer.
In the event that problems with security policies still exist, try manually renaming the checkpoint file of the local security policy database %windir%\security\database\edb.chk.
ren %windir%\security\database\edb.chk edb_old.chk
Run the command:
gpupdate /force
Restart Windows:
Shutdown –f –r –t 0
How to reset local policies if you can’t log in to Windows
If it is impossible to log in to the system locally or you can’t run the command line (e. g., apps are locked with Applocker), you can delete Registry.pol files when booted from any Windows installation disk or a LiveCD.
- Boot from any Windows installation media and run the command prompt (Shift+F10)
- Run the command:
1
diskpart
- Then display the list of volumes in the system:
1
list volume
In this case, the letter assigned to the system disk corresponds to the letter of the system – C:\. However, sometimes these can be different. So the following commands have to be run in the context of your system disk (e. g., D:\ or C:\)
- Close diskpart:
1
exit - Run the following commands one by one:
1 2
RD /S /Q C:\Windows\System32\GroupPolicy RD /S /Q C:\Windows\System32\GroupPolicyUsers
- Restart the computer in the normal mode and make sure that the local group policies settings are reset to their default values.
Reset applied Domain GPO settings
A few words about domain Group Policies. In the event that the computer is included in an Active Directory domain, some of its settings can be managed by a domain administrator through domain-based GPOs.
The registry.pol files of all applied domain group policies are stored in the directory %windir%\System32\GroupPolicy\DataStore\0\SysVol\contoso.com\Policies. Each policy is stored in a separate folder with the GUID of the domain policy.
These registry.pol files correspond to the following registry keys:
- HKLM\Software\Policies\Microsoft
- HKCU\Software\Policies\Microsoft
- HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
The versions history of the applied domain policies that have been used on the client is in the following branches:
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\
- HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\
If you remove a computer from the domain, the registry.pol files of domain policies on the computer will be deleted and, accordingly, won’t be loaded to the registry.
If you need to force remove the domain GPO settings, you need to clean the %windir%\System32\GroupPolicy\DataStore\0\SysVol\contoso.com\Policies directory and delete the specified registry keys (it is strongly recommended that you back up the deleted files and registry entries !!!) . Then run the command:
gpupdate /force /boot
14 comments
This is absolutely awesome! A Windows knowledge base that:
Didn’t require or suggest (so far as far as I can tell) member registration.
Written in blog form, such that I didn’t have to wade through hours of differing opinions and arguments.
Enabled me, step-by-step, to understand GPO administration within a local OS context (I will also assume I can get domain help, as well).
A clean page layout with minimal marketing interference, such that it appears the site is philanthropic in nature.
I’m in my 50’s, and when I was young and enthused I taught myself how to build & administer desktop PCs, beginning with MS-DOS 3.0, but I never really endeavored to fully understand network administration, beyond peer-to-peer configurations. I lived during the days when a computer virus was a prank, and I even wrote and placed a few benign surprises on my friends’ PCs. However, since the day organized crime began cracking personal and corporate networks for consumer fraud and identity theft I’ve lived in fear, due to my ignorance, when it comes to protecting my personal domain network. I simply no longer have the personal drive or will to sift through the mountains of confused knowledge and opinions (including the TechNet mountain) that usually end up wasting my days away.
Thank you. Can I donate to this site?
You are welcome!
You can donate to our website via PayPal button in sidebar
thank you
I have a computer that will not allow me to log into. There’s a setting in the local policy that requires a smart card to log in that was mistakenly checked. I’ve tried the above methods to reset everything. I haven;t been successful to this point.
Any ideas on how to reset the policies so that I can log in with a local admin?
Thanks,
Jason
Thank you,Thank you Thank youuuuuuuuuu so much, I was fed up from last 10 days cz of some group policy applied bymistake and was not able to find gpo reset command this article saved my life thank you so much………………………….
First of all, my English is weak.
I did it. Thank you very much. My Windows 7_64 Enterprise can now create users with permission for user, before It was only permission for administrate.
Take care.
I used the method. secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose
Thanks for this post 🙂
Very complete and clear article, it helped a lot.
Thanks.
Thank you man!
Hi,
Thanks for the great work and support to windows users.
i set a group policy to my computer using GPEDIT.MSC and forget to include the gpedit it’s self to unlock later, but when i closed the application everything else was locked except the app (word) that i allowed to open. even the GPEDIT.MSC is not opening. I am Stuck, is there a way to reset and remove the whole Group Policy.
You need to boot your device from any bootable disk / LiveCD / Windows 10 install disk and manually delete the files in the folders:
“d:\windows\System32\GroupPolicyUsers”
“d:\windows\System32\GroupPolicy”
Then just restart your computer and all Group Policy settings will be reset.
Thanks guys.
I really appreciate the effort but i found another Backdoor of Opening the MMC then Gpedit and i disabled.
Thanks
Nor Omar
I have an issue where I’ve been messing about with some settings using the local group policy and an additional template. This template worked well but when I went to remove the settings, the effect of the policy was not reversed and I noticed that the registry settings that had applied were not removed.
Any ideas? These registry settings can be removed manually but I would need to take ownership of every key and remove individually.
I have tried the following commands but still no luck:
RD /S /Q “%WinDir%\System32\GroupPolicyUsers”
RD /S /Q “%WinDir%\System32\GroupPolicy”
Thanks