Updating a Group Policy Object does not remove previous settings

I'm using MS's Group Policy Management console to manage our group policy infrastructure.  I've got a policy that manages IE7 settings.  I'd like to remove some settings from this policy and push out the changes.  When I make the changes and apply the new policy, the old settings are not removed from the effected computers.

Is there a way to remove settings that were applied by a previous policy?  If so, how?

Thanks.
griffisblessingAsked:
Who is Participating?
 
bluntTonyConnect With a Mentor Commented:
The majority of group policy settings should just revert back to default if the GPO is removed - some settings such as security settings do tattoo and have to be cancelled out by another local/group policy.
Before you go any further I would recommend actually forcing a policy refresh on the machine after removing the GPO, then reboot the machine so that all computer/user settings can be fully re-applied (not all policies will refresh properly while a user is logged in).
Then check that the old policy is no longer applying (use gpresult). If not, check to see if any old settings are still applying. If they are, check in an RSoP query that they are definitely not being applied from anywhere in group policy. If not, it looks like the settings will have tattooed. If this is the case, then they will need to be cancelled out by another policy by configuring conflicting settings. For example, for a setting which is boolean (simply enabled or disabled), rather than just applying a GPO where the settings are 'Not Defined' (this won't cancel the old setting), you would have to apply a GPO where the setting is 'Disabled' to cancel out the prevoius 'Enabled'.
I have to say though that the majority of these sorts of policies should not be tatooing so I would first reboot the machine to be sure...
Hope this helps...
0
 
bluntTonyCommented:
How are you making the changes? You mention creating a new policy  - are you creating a seperate GPO with conflicting policies to the existing one, or are you simply editing the original GPO and removing the settings from here?
After making the changes, have you ran gpupdate /force on a client machine and then rebooted it?
Certain policies applied will remain after removing the GPO which set them - what settings are you trying to remove?
0
 
griffisblessingAuthor Commented:
In this particular case, I have 2 separate policies for IE.  One is applied to one group of machines, etc.  What I'm trying to do is take a group of machines that had one policy applied and instead apply the other policy.  Specifically, the old policy had User Configuration settings, and the new policy does not.

I have ran "gpupdate /force", but have not rebooted yet.  It seems as though it will append the different settings in the new policy, but it will not remove settings made by the initial policy.

Hope this helps to explain it further.  Thanks for the help and quick reply.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
bluntTonyCommented:
OK - have you removed the old GPO (un-linked it from the OU), or do you now have both GPOs applying to the OU?
Because one is a set computer settings, and one is user settings, they are not actually conflicting. If you want the second GPO to over-rule the existing one, they both have to the same settings, and you need to ensure that the new GPO is higher in precedence than the existing one (so that it over-rules). Also note that 'Not-defined' in the new GPO will not clear a setting applied in another GPO - it won't have any effect at all, so you can't rely on this to cancel settings.
Incidentally, user settings will only apply to a user object, and computer settings to computers, i.e. if you configure user settings on a GPO and link it to an OU holding just computer accounts, then the settings will not take any effect (sorry if I'm stating the obvious!!)
Also, I would at least run gpupdate /force and then log off (as the original settings were user settings). Once logged back in, check with gpresult that the correct policies are applying.
0
 
griffisblessingAuthor Commented:
Yes, I unlinked the original policy, then linked up the new one.  I am fairly comfortable dealing with GP Management and creation, it's just always baffled as to whether or not a newly applied policy clears settings from a previous policy.  Maybe the correct question to ask is ... Is there a way to remove settings from a previous policy by applying a new policy?

Thanks.
0
 
griffisblessingAuthor Commented:
Thanks for the help.  In the end I ended up editing the group policy directly in a text editor.  This allowed me to make the changes that I needed.  IE7's ADM template was not quite robust enough to get in to the settings that I needed to change.  Your help and suggestions gave me a good framework to go from.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.