Either the “Default Domain Policy” or the “Default Domain Controller Policy” has been corrupted. This will usually show up as errors in the Group Policy management console.
Use the dcgpofix tool included with Windows 2008 and 2012 to recreate the policies with their default settings
- Launch an escalated PowerShell or CMD
- Run the dcgpofix utility with the /target switch to specify whether it should recreate the “Default Domain Policy” (/target:domain), the “Default Domain Controller Policy” (/target:dc) or both (/target:both).NOTE: This action will complete wipe your existing policies
- Run the Group Policy management console (gpmc.msc) and verify the policies are not showing without any errors
If the fix completes successfully but the policies are still showing errors, you many need to manually rename the files in the SYSVOL folder:
- Open \your-domainsysvolyour-domainPolicies in an Explorer window
- You see 2 folders with the unique ID of the policy you just recreated, one of which appended with the string “_NTFRS_” and a hexadecimal number. The folder without the additional string is the original (i.e. broken) policy, while the other is the newly created policy
- Rename the folders so that the new created policy’s folder has only the unique ID.