How to remove the Software Restrictions Group Policy in 2003?
All,
I am streamlining my Active Directories GPO's considering the mess that the previous admin left behind is sick..... He / She enabled tons of GPO's throughout the default domain policy that was causing extreme slowness throughout the network and certain bad practices that i have read are not recomended within the default domain policy. I have created new GPO's that link to their appropiate OU's to fix the mess and be more neat anyways... In the process i have recreated the software restrictions policy altogether from scratch and now that i am removing the settings from the Default Domain Policy i can't!
They ended up setting all software restriction policies within GPO and now i cannot figure out how to remove it? I am using GPO management and GPO edit and for the life of me cannot find the delete/remove key... am i going crazy?? Help.
Thanks.
I am streamlining my Active Directories GPO's considering the mess that the previous admin left behind is sick..... He / She enabled tons of GPO's throughout the default domain policy that was causing extreme slowness throughout the network and certain bad practices that i have read are not recomended within the default domain policy. I have created new GPO's that link to their appropiate OU's to fix the mess and be more neat anyways... In the process i have recreated the software restrictions policy altogether from scratch and now that i am removing the settings from the Default Domain Policy i can't!
They ended up setting all software restriction policies within GPO and now i cannot figure out how to remove it? I am using GPO management and GPO edit and for the life of me cannot find the delete/remove key... am i going crazy?? Help.
Thanks.
ASKER
I am using GPO MGMT utility. it works wonders... the problem is i cannot remove the software restriction policies from my default domain policy..... :(
Hi kraven1388,
How about running the tool GPOFIX from the 2003 server console? This should reset the Default Policies back to default settings.
Just make sure any setting you need from these policies are recorded so you can recreate them.
Best practice dictates that only Account settings should be made in the Default Domain Policy - everything else should go into another policy linked to the container you want to apply it to.
Cheers!
Netman
How about running the tool GPOFIX from the 2003 server console? This should reset the Default Policies back to default settings.
Just make sure any setting you need from these policies are recorded so you can recreate them.
Best practice dictates that only Account settings should be made in the Default Domain Policy - everything else should go into another policy linked to the container you want to apply it to.
Cheers!
Netman
TIA for that suggestion, I imagine I'll be using that this evening.
MMDCisco
MMDCisco
Before you go blasting the GPOfix utill, you need to take the time to sift through the default domain policy and check and re-check that you have recorded all the settings that were wrongly placed in there. It takes all of 5 seconds to shaft a network with GPO's when you could have saved a couple of days of headaches...
on the other note it shouldnt matter if you have your software restriction policies lower down in the AD they will over ride anything set higher up.
Foxxy
on the other note it shouldnt matter if you have your software restriction policies lower down in the AD they will over ride anything set higher up.
Foxxy
I suggested recording them already.
ASKER
Netman, thanks for the advice... I am a little shaky about using the GPO fix util... This will ONLY reset my default domain policy settings back to default out of the box right? This will not affect my default domain controller policy or any other policies that came there after??? This is my situation so far..
I have removed all entries that were made in the default domain policy. however, like i said some software restriction policies cannot be removed for some reason or other. All policies that were removed i created the appropriate GPO's within the OU's that required them, not to the entire domain tree like before.... I just need to be reassured that this will ONLY reset my default domain policy and touch nothing else????
Thanks again!!
I have removed all entries that were made in the default domain policy. however, like i said some software restriction policies cannot be removed for some reason or other. All policies that were removed i created the appropriate GPO's within the OU's that required them, not to the entire domain tree like before.... I just need to be reassured that this will ONLY reset my default domain policy and touch nothing else????
Thanks again!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks again netman, i will end up using the /ignoreschema /target:domain line considering i do have exchange running and i dont want to touch the DC policy.......
The policy i am trying to remove is: Default Domain Policy > Computer Configuration > Windows Settings > Security Settings > Software Restrictions Policies ... Under here the admin had set a bunch of restrictions on programs such as aim, aol, and messaging software he didnt want to be executed. After removing the entries from here and adding them to the new software policy it still shows up under default domain policy as enabled though there is nothing in it. I want this set back to default stage... so when i look at it under group policy management it shows actually nothing activated....... unless there is something im missing here....
P.S. thanks for the info on "Not Defined" and the "Disabled" elements. I thought that by setting to not defined it would reverse the original action, rather it leaves it alone! I did not know that.....
The policy i am trying to remove is: Default Domain Policy > Computer Configuration > Windows Settings > Security Settings > Software Restrictions Policies ... Under here the admin had set a bunch of restrictions on programs such as aim, aol, and messaging software he didnt want to be executed. After removing the entries from here and adding them to the new software policy it still shows up under default domain policy as enabled though there is nothing in it. I want this set back to default stage... so when i look at it under group policy management it shows actually nothing activated....... unless there is something im missing here....
P.S. thanks for the info on "Not Defined" and the "Disabled" elements. I thought that by setting to not defined it would reverse the original action, rather it leaves it alone! I did not know that.....
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en
Worked wonders for me.