GPO Removal Question

Posted on 2008-10-23
Last Modified: 2012-05-05
In our institute we end users that do either administrative functions or work in labs.  All of which need the ability to logon with their domain credentials.  So we've setup two OU's for those workstations called Admin and Lab.  The computers that the admin persons use have 5 group policy objects applying down to them.  Contained in those GPO's are hunders of federally mandaded settings.  Computes in the LAB ou's CAN NOT have the Federally mandated policies applied to them out of fear these settings will break scientific applicaitons.  
So here's my question  If a comptuer object is moved into the "Admin" OU, thus inheriting those settings, then moved back into the LAB OU, will those federally mandated policies go back to what they were before?
Question by:esbfern
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
LVL 18

Expert Comment

ID: 22789286
To answer your question, yes. They should go back to what they were, unless those GPO for Admin group install some software.

Author Comment

ID: 22789355
Can you please show me a microsoft document of this.  I think this depends on the OS and what policy is applied.
LVL 38

Accepted Solution

Shift-3 earned 500 total points
ID: 22789371
If they are all standard settings then yes, they should go away once the GPO no longer applies to that computer.  However, if that GPO contains custom administrative templates which edit registry entries that aren't under the four dedicated Policies keys then those changes can persist even after the policy is removed.  This is called tattooing the registry.

See these pages for more information:
Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

LVL 18

Expert Comment

ID: 22789419
One simple way of knowing for sure is do a test. setup a machine in Lab ou, make sure everything works fine, move it to admin ou, force to gpupdate to apply all the GPOs , then take it out and put back to lab.

Author Comment

ID: 22789666
It's a little more complicated than that.  Just found this

Author Comment

ID: 22790813
Shift-3:  How do I know which Group Policies will be put in these locations:  


Are all policies under the administrative templates in these locations?

Author Comment

ID: 22797584
Here's the answer for the administrative Templates section of a GPO.  Shift-3 is correct 

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question