Resetting Default Domain Policy & Replacing EFS Certificate

I have inherited some pretty messy domains over the last couple years when it comes to GPO’s, and knowing the short and sweet way to reset the Default Domain and Default Domain Controller policies has come in handy.  As I hope you know, Microsoft only suggests only making changes to these policies for account, account lockout, password, and Kerberos policies.  I agree that it should stay clean, there is no reason not to break things out into different GPO’s in this day and age.  But alas let’s move on before this becomes a rant.

To reset either of the default GPO’s, you use the dcgpofix utility.  The syntax is quite simple, just take a backup of the GPO you’re resetting before you do it as I’m sure you already know.

Reset the Default Domain Policy:

Reset the Default Domain Controller Policy:

Reset both the Default Domain Controller and Default Domain Policy:

Wha-Lah you are done.  Go and set you account/account lockout/password/Kerberos settings as dictated by your organization.  You may run into an issue where the utility is unable to recreate the EFS certificate as seen below:

This is pretty simple, you will just have to create a new certificate for EFS and add it to the policy manually.  Now you can accomplish this in a number of different ways, but I’m going to show you the simplest (in my opinion) in which you create a self-signed certificate that will out live you.  Open up a PowerShell or Command Prompt as Administrator and move to the directory that you would want to save the certificate.  Once there run the following, where “CertName” is whatever you would like to name the certificate:

This will generate your self-signed certificate in whatever directory you’re sitting in.  Now you need to import it into your Default Domain Policy to be used for EFS.  Open your Group Policy Management Editor and navigate to “Computer Configuration\Policies\Security Settings\Public Key Policies\Encrypting File System”.  Once there right click EFS and select the “Add Data Recovery Agent…” option.

Move through the wizard selecting the “Browse Folders…” option to select your certificate.  You will likely get a pop-up saying “Windows cannot determine if this certificate has been revoked”.  This is just because it is a self-signed certificate, so select Yes when prompted to install the certificate.  Next your way through the rest of the wizard and you are all set.