Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 259
  • Last Modified:

GPO Removal Question

In our institute we end users that do either administrative functions or work in labs.  All of which need the ability to logon with their domain credentials.  So we've setup two OU's for those workstations called Admin and Lab.  The computers that the admin persons use have 5 group policy objects applying down to them.  Contained in those GPO's are hunders of federally mandaded settings.  Computes in the LAB ou's CAN NOT have the Federally mandated policies applied to them out of fear these settings will break scientific applicaitons.  
So here's my question  If a comptuer object is moved into the "Admin" OU, thus inheriting those settings, then moved back into the LAB OU, will those federally mandated policies go back to what they were before?
0
esbfern
Asked:
esbfern
  • 4
  • 2
1 Solution
 
flyingskyCommented:
To answer your question, yes. They should go back to what they were, unless those GPO for Admin group install some software.
0
 
esbfernAuthor Commented:
Can you please show me a microsoft document of this.  I think this depends on the OS and what policy is applied.
0
 
Shift-3Commented:
If they are all standard settings then yes, they should go away once the GPO no longer applies to that computer.  However, if that GPO contains custom administrative templates which edit registry entries that aren't under the four dedicated Policies keys then those changes can persist even after the policy is removed.  This is called tattooing the registry.

See these pages for more information:
http://support.microsoft.com/kb/323639
http://www.gpoguy.com/FAQs/Whitepapers/tabid/63/articleType/ArticleView/articleId/5/Understanding-Policy-Tattooing.aspx
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
flyingskyCommented:
One simple way of knowing for sure is do a test. setup a machine in Lab ou, make sure everything works fine, move it to admin ou, force to gpupdate to apply all the GPOs , then take it out and put back to lab.
0
 
esbfernAuthor Commented:
It's a little more complicated than that.  Just found this http://technet.microsoft.com/en-us/library/cc736484.aspx
0
 
esbfernAuthor Commented:
Shift-3:  How do I know which Group Policies will be put in these locations:  

HKEY_LOCAL_MACHINE\Software\Policies
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

Are all policies under the administrative templates in these locations?
0
 
esbfernAuthor Commented:
Here's the answer for the administrative Templates section of a GPO.  Shift-3 is correct http://technet.microsoft.com/en-us/library/cc736484.aspx 
0

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now