Group Policy set static settings in pc? still applied after moved out

[realized]

I have gpupdate /force, rebooted a few times, its been almost 24hr, rebooted.

when i run gpresult , that GPO/OU is _NOT_ listed. But i still can't see my cdrom/floppy. Both of which were disabled in the OLD OU it was in.

Edited June 9, 2006 by realized

[realized]

A workaround was to create another OU, put this computer in it, with the SAME ADM FILE that was used to disable the CDROM etc. And un-do the setting.

I wasn't aware that settings are "static" unless they are UNDONE. i thought they all reset on reboot. Which is why gpo's are deployed on startup (computer settings)

[hosebeast]

Computer settings are not static.

I think you are not understanding the difference between Computer Configuration settings (the top portion in Group Policy Editor, essentially affecting HKLM) and User Configuration settings (the bottom portion, essentially affecting HKCU which is stored in your domain user profile).

There is no such setting as "disable floppy/CD" so I assume you are talking about the settings which really just hide drives from Windows Explorer and common dialogs such as File Open. These settings are User Configuration. Therefore, they affect your domain user profile, not the machine's registry (meaning HKLM).

When you link GPO to an OU containing computer accounts, this by itself only applies Computer Configuration settings to those machines. In order to apply User Configuration settings to users who log onto those machines, the GPO must have Security Filtering defined which includes those users. When you create a new GPO, by default the Security Filtering includes "Authenticated Users" which means any domain user, regardless of OU. You can see the Security Filtering on the Scope tab in the Group Policy Management Console. You could also enable Group Policy Loopback Mode, which applies User Configuration to any user who logs onto the computer, but no matter how you do it, the User Configuration settings get written to the user profile.

What happened to you is that you moved the computer out of the OU, which resets the HKLM-related settings, and stops applying GPO to your user profile upon future logons, but it does not reset the values which were already saved in your user profile. The only way to reset an existing user profile back to default is to delete the user profile and let it get recreated from the Default User profile upon next logon. Your workaround of applying another GPO does not actually "reset" everything; it only changes the specific settings to whatever you indicate in the second GPO.

[realized]

CLASS MACHINE
CATEGORY !!category
 CATEGORY !!categoryname
  POLICY !!policynameusb
   KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
   EXPLAIN !!explaintextusb
	 PART !!labeltextusb DROPDOWNLIST REQUIRED

	   VALUENAME "Start"
	   ITEMLIST
		NAME !!Disabled VALUE NUMERIC 3 DEFAULT
		NAME !!Enabled VALUE NUMERIC 4
	   END ITEMLIST
	 END PART
   END POLICY
  POLICY !!policynamecd
   KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
   EXPLAIN !!explaintextcd
	 PART !!labeltextcd DROPDOWNLIST REQUIRED

	   VALUENAME "Start"
	   ITEMLIST
		NAME !!Disabled VALUE NUMERIC 1 DEFAULT
		NAME !!Enabled VALUE NUMERIC 4
	   END ITEMLIST
	 END PART
   END POLICY
  POLICY !!policynameflpy
   KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
   EXPLAIN !!explaintextflpy
	 PART !!labeltextflpy DROPDOWNLIST REQUIRED

	   VALUENAME "Start"
	   ITEMLIST
		NAME !!Disabled VALUE NUMERIC 3 DEFAULT
		NAME !!Enabled VALUE NUMERIC 4
	   END ITEMLIST
	 END PART
   END POLICY
  POLICY !!policynamels120
   KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
   EXPLAIN !!explaintextls120
	 PART !!labeltextls120 DROPDOWNLIST REQUIRED

	   VALUENAME "Start"
	   ITEMLIST
		NAME !!Disabled VALUE NUMERIC 3 DEFAULT
		NAME !!Enabled VALUE NUMERIC 4
	   END ITEMLIST
	 END PART
   END POLICY
 END CATEGORY
END CATEGORY

[strings]
category="Custom Policy Settings"
categoryname="Restrict Drives"
policynameusb="Disable USB"
policynamecd="Disable CD-ROM"
policynameflpy="Disable Floppy"
policynamels120="Disable High Capacity Floppy"
explaintextusb="Disables the computers USB ports by disabling the usbstor.sys driver"
explaintextcd="Disables the computers CD-ROM Drive by disabling the cdrom.sys driver"
explaintextflpy="Disables the computers Floppy Drive by disabling the flpydisk.sys driver"
explaintextls120="Disables the computers High Capacity Floppy Drive by disabling the sfloppy.sys driver"
labeltextusb="Disable USB Ports"
labeltextcd="Disable CD-ROM Drive"
labeltextflpy="Disable Floppy Drive"
labeltextls120="Disable High Capacity Floppy Drive"
Enabled="Enabled"
Disabled="Disabled"

[hosebeast]

Ahh, you're using the custom ADM from KB555324. Did you notice the "More Information" section at the bottom of that article?

This template is considered a preference rather than a true policy and will tattoo the registry of client computers with its settings. If this template is moved out of scope of the Group Policy which applies it, the registry changes it makes will remain.

"Preference" means a template which modifies registry settings directly. Normal "policy" templates do not modify registry settings directly; they modify registry keys under a "Policies" node which is then applied to the actual registry settings. That's how true policies can be unapplied.

Look inside a standard ADM file at the KEYNAME entries and you will see what I mean.

The reason that the custom template from KB555324 does not use true policy is (like I said), there is no policy which allows disabling floppy/CD. You can't simply create your own subkeys under Policies; the OS will only apply the ones it is programmed to. Therefore, a preference is as close as you can come.