I was cleaning up old, unused Group Policy Objects recently and came across two that could not be deleted. They were legacy GPOs from before I started at the organization and were not linked anywhere and had old arbitrary settings. Not wanting to just leave junk laying around, I tried to delete the actual objects not just the links from within the Group Policy Objects area in the Group Policy Management Console but received the error message:
“The server is unwilling to process the request.”
I’m not used to my servers talking back to me and I didn’t see anything special about these GPOs. After verifying account access and having another domain administrator give it a shot and receiving the same sassy error message. Looking a bit closer, I saw that the GUIDs for these GPOs under the Details tab showed they were actually the original Default Domain Policy and Default Domain Controllers Policy.
Default Domain Policy: {31B2F340-016D-11D2-945F-00C04FB984F9}
Default Domain Controllers Policy: {6AC1786C-016F-11D2-945F-00C04fB984F9}
I wouldn’t be able to delete them because they were system protected/reserved. They also seemed to be corrupted as the Settings did not render fully and upon linking the GPO to an OU, the computers errored out on processing Group Policy. To fix this, I logged into a domain controller as a domain admin and from an elevated command prompt ran: dcgpofix.
This built-in (to Server) command restores the Default Domain Policy and Default Domain Controller Policy to their original state. This needs to be done from a server OS that is equivalent or better than your domain functional level.
I did encounter an issue where the dcgpofix would not complete. It just hung at the command prompt even though I could see the GPOs were reset in GPMC. I was able to resolve this by looking at the Shared Folder Management on the DC and closing any open files to the GPOs (look for the GUID under Sysvol). Once I did that, the restore completed and I was able to clear out the settings and link it in the organization as the defaults since I have to keep it around anyways.
Of course, you need to be careful when using dcgpofix if you are using either of these GPOs with your true settings as you could change your access rights. Dcgpofix is intended for disaster recovery only. Confirm that the GUIDs match for your intended reset target. You can use the Target parameter to restore the Default Policies independently such as dcgpofix /target:Domain.