GPO now undefined but past settings still apply?

[bbiandov]

Hey guys,

Here is an interesting question that I need to know the answer to (Win2003 SP1 AD):

Say you enable a policy setting by checking the box DEFINE and then you define something:

The policy applies (with gpupdate.exe) and all is happy. Then at some later time in the future

you decide that the policy no longer needs to exist and you uncheck the DEFINE box:

From this point on, no matter what you do, the settings that were installed in the

past still apply and there is no way to get rid of them. The fact that the DEFINE

check pox is now UNCHECKED does not work.

Sure the policy does show as NOT DEFINED:

But the settings that WERE DEFINED AT SOME POINT IN THE PAST

still apply? Remember, this requires specific answer, not philosophical expansion!

What gives?

~Boyan

[cluberti]

Almost all group policy settings are just registry settings. Defining a group policy option sets a registry setting on a client - undefining that policy at a later time does NOT remove that registry modification, it simply sets it to not defined by group policy (i.e., don't modify the client). You have to define the same settings that you previously enabled, to DISABLED, to do what you're expecting.

[nmX.Memnoch]

The "not undoing" is commonly referred to as "tatooing" the workstation. It'll happen even worse if you use custom ADM templates.

This is why you should be sure before forcing a setting through GPO.

[GrofLuigi]

Most of the time, the policy is linked to one registry value. "Enabled" sets it to 1, Disabled sets it to "0" and "Not Defined" deletes it from the registry. This happens when the policy is applied (during boot or at other times). As for myself, I prefer to find the values with regmon and set them to my liking, thus avoiding the overhead (deliberate tattooing?). Other's experience may vary and you must be very careful while doing this.

GL

[annakin108]

yup... we have even gone as far as creating an OU with all the gpo's we have in place but they are opposite from the one's we have applied. Crazy! but it works in situations were we need to trouble shoot...

[bbiandov]

Ok thanks for your reply. Where can I get a list the shows all GPO settings and their corresponding reg keys?

I will need to remove the reg keys that are messing me up after being tatooed into the desktops

Thanks again

Boyan

[nmX.Memnoch]

Well setting a GPO to "Not Defined" for the standard ones is supposed to undo whatever was done. You can just reverse the policy setting to undo it (the setting will still be forced by GPO but at least it'll be undone on the workstation). After sufficient time (i.e. all clients have refreshed their policies) you can then change the policy to "Not Defined".

There is a company, that was recently purchased by Microsoft) that makes products designed to help prevent tattooing. This product is PolicyMaker from DesktopStandard (again, now owned by Microsoft).

http://www.desktopstandard.com/

[bbiandov]

Thanks for the link. No wonder Microsoft bought them! Great product. Thanks!