GPO and SYSVOL reset

TechnoNewbie

8/22/23, 6:13 PM

We inherited a network with badly damaged GPOs across 3 DC's (all WinServ 2016). We receive an "Access Denied" error when using GPOs, and the permissions of the SYSVOL folder show signs of tampering. I have attempted a D2 and D4 restore, following these instructions: https://docs.microsoft.com/en-US/troubleshoot/windows-server/group-policy/force-authoritative-non-authoritative-synchronization

However the issue persists.

The thing is, there are no group policies present other than the default 2. So what I would really like to do is reset the entire GPO system to default, rebuild the SYSVOL folder entirely from scratch to receive default permissions, and then perform another D4 authoritative sync. Is this possible? How can it be done?

0 + 0

permissions

group-policy

sysvol

windows-server-2016

Greg Askew

8/22/23, 6:22 PM

dcgpofix https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dcgpofix

joeqwerty

8/22/23, 6:34 PM

This is one of those times when the best course of action is to open a support case with Microsoft. Don't take action that may make things worse, or worse yet, make things unrecoverable.

Score:2

Server

stackprotector

8/22/23, 6:28 PM

That's quite a broad question. Recreating SYSVOL is not just one simple step. Here is the documentation for this whole process: https://docs.microsoft.com/en-us/troubleshoot/windows-server/group-policy/rebuild-sysvol-tree-and-content-in-a-domain

Resetting the default domain policies is much easier. Use the dcgpofix tool:

dcgpofix /ignoreschema /target:both

0 + 0

TechnoNewbie

8/22/23, 6:40 PM

Upon running this I receive an error: Unable to create the file or directory C:\Windows\SYSVOL\domain.site\Policies. The system cannot find the path specified. I can confirm that a junction exists at c:\windows\sysvol\domain.site which points to c:\windows\sysvol\domain\

TechnoNewbie

8/22/23, 6:52 PM

I'll proceed with the link to rebuild SYSVOL and report back here.

TechnoNewbie

8/22/23, 9:36 PM

ultimately this answers my question to rebuild sysvol even if the access denied error persists.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: GPO and SYSVOL reset

TH: รีเซ็ต GPO และ SYSVOL

RO: GPO și SYSVOL resetate

RU: Сброс GPO и SYSVOL

VI: Đặt lại GPO và SYSVOL

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.