This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello, I need help recovering my Active Directory domain after an incorrect settings change was applied to the Default Domain Policy (DGP {31B2F340-016D-11D2-945F-00C04FB984F9}).
A change was made to the GPO’s security policy that added multiple Deny entries affecting administrative accounts. Specifically:
Both “Domain Admins” and “Enterprise Admins” were added to these policies:
Deny log on locally
Deny log on through Remote Desktop Services
Deny access to this computer from the network
As soon as the policy applied, every domain administrator account was locked out of every domain controller, both locally and over RDP.
This includes all privileged groups because:
Domain Admins SID = S-1-5-21-…-512
Enterprise Admins SID = S-1-5-21-…-519
Both appear inside the Default Domain Policy’s GptTmpl.inf under MACHINE\Microsoft\Windows NT\SecEdit
I found 2 policies under SYSVOL and removed the one I believed was the only one denying Domain Admins. However, I found that the default policy had the entries added. 512 and 519 SIDs were identified. I'm thinking of resetting the Default Domain policy, but not sure if using DSRM on Windows Server 2022 will work. How will it affect other GPO's outside of the default policy? (Wallpaper, BGINFO, etc...)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Resetting the Default Domain Policy should work. This should have no impact on other GPOs (other than Default Domain Policy and Default Domain Controllers Policy)
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 26%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKP%3C/text%3E%3C/svg%3E)
Hi sir.
Thank you for your contribution to the community
To address the issue, please help try remove the incorrect settings, this could avoid causing impact on other GPOs.
Then, run gpupdate /force for the new setting to be applied.
gpresult /h C:\temp\gp.html
dfsrdiag pollad
If you believe this information adds some value, please accept the answer so that your experience with the issue would help contribute to the whole community.
Best wishes,
Kate!
