bbiandov Posted March 26, 2007 Share Posted March 26, 2007 Hey guys,Here is an interesting question that I need to know the answer to (Win2003 SP1 AD):Say you enable a policy setting by checking the box DEFINE and then you define something:The policy applies (with gpupdate.exe) and all is happy. Then at some later time in the futureyou decide that the policy no longer needs to exist and you uncheck the DEFINE box:From this point on, no matter what you do, the settings that were installed in the past still apply and there is no way to get rid of them. The fact that the DEFINEcheck pox is now UNCHECKED does not work. Sure the policy does show as NOT DEFINED:But the settings that WERE DEFINED AT SOME POINT IN THE PAST still apply? Remember, this requires specific answer, not philosophical expansion!What gives?~Boyan Link to comment Share on other sites More sharing options...
cluberti Posted March 26, 2007 Share Posted March 26, 2007 Almost all group policy settings are just registry settings. Defining a group policy option sets a registry setting on a client - undefining that policy at a later time does NOT remove that registry modification, it simply sets it to not defined by group policy (i.e., don't modify the client). You have to define the same settings that you previously enabled, to DISABLED, to do what you're expecting. Link to comment Share on other sites More sharing options...
nmX.Memnoch Posted March 27, 2007 Share Posted March 27, 2007 The "not undoing" is commonly referred to as "tatooing" the workstation. It'll happen even worse if you use custom ADM templates.This is why you should be sure before forcing a setting through GPO. Link to comment Share on other sites More sharing options...
GrofLuigi Posted March 27, 2007 Share Posted March 27, 2007 Most of the time, the policy is linked to one registry value. "Enabled" sets it to 1, Disabled sets it to "0" and "Not Defined" deletes it from the registry. This happens when the policy is applied (during boot or at other times). As for myself, I prefer to find the values with regmon and set them to my liking, thus avoiding the overhead (deliberate tattooing?). Other's experience may vary and you must be very careful while doing this.GL Link to comment Share on other sites More sharing options...
annakin108 Posted March 27, 2007 Share Posted March 27, 2007 yup... we have even gone as far as creating an OU with all the gpo's we have in place but they are opposite from the one's we have applied. Crazy! but it works in situations were we need to trouble shoot... Link to comment Share on other sites More sharing options...
bbiandov Posted March 27, 2007 Author Share Posted March 27, 2007 Ok thanks for your reply. Where can I get a list the shows all GPO settings and their corresponding reg keys?I will need to remove the reg keys that are messing me up after being tatooed into the desktopsThanks againBoyan Link to comment Share on other sites More sharing options...
nmX.Memnoch Posted March 27, 2007 Share Posted March 27, 2007 Well setting a GPO to "Not Defined" for the standard ones is supposed to undo whatever was done. You can just reverse the policy setting to undo it (the setting will still be forced by GPO but at least it'll be undone on the workstation). After sufficient time (i.e. all clients have refreshed their policies) you can then change the policy to "Not Defined".There is a company, that was recently purchased by Microsoft) that makes products designed to help prevent tattooing. This product is PolicyMaker from DesktopStandard (again, now owned by Microsoft).http://www.desktopstandard.com/ Link to comment Share on other sites More sharing options...
bbiandov Posted April 2, 2007 Author Share Posted April 2, 2007 Thanks for the link. No wonder Microsoft bought them! Great product. Thanks! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now