Updating a Group Policy Object does not remove previous settings

I'm using MS's Group Policy Management console to manage our group policy infrastructure.  I've got a policy that manages IE7 settings.  I'd like to remove some settings from this policy and push out the changes.  When I make the changes and apply the new policy, the old settings are not removed from the effected computers.

Is there a way to remove settings that were applied by a previous policy?  If so, how?

Thanks.
griffisblessingAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bluntTonyHead of ICTCommented:
How are you making the changes? You mention creating a new policy  - are you creating a seperate GPO with conflicting policies to the existing one, or are you simply editing the original GPO and removing the settings from here?
After making the changes, have you ran gpupdate /force on a client machine and then rebooted it?
Certain policies applied will remain after removing the GPO which set them - what settings are you trying to remove?
0
griffisblessingAuthor Commented:
In this particular case, I have 2 separate policies for IE.  One is applied to one group of machines, etc.  What I'm trying to do is take a group of machines that had one policy applied and instead apply the other policy.  Specifically, the old policy had User Configuration settings, and the new policy does not.

I have ran "gpupdate /force", but have not rebooted yet.  It seems as though it will append the different settings in the new policy, but it will not remove settings made by the initial policy.

Hope this helps to explain it further.  Thanks for the help and quick reply.
0
bluntTonyHead of ICTCommented:
OK - have you removed the old GPO (un-linked it from the OU), or do you now have both GPOs applying to the OU?
Because one is a set computer settings, and one is user settings, they are not actually conflicting. If you want the second GPO to over-rule the existing one, they both have to the same settings, and you need to ensure that the new GPO is higher in precedence than the existing one (so that it over-rules). Also note that 'Not-defined' in the new GPO will not clear a setting applied in another GPO - it won't have any effect at all, so you can't rely on this to cancel settings.
Incidentally, user settings will only apply to a user object, and computer settings to computers, i.e. if you configure user settings on a GPO and link it to an OU holding just computer accounts, then the settings will not take any effect (sorry if I'm stating the obvious!!)
Also, I would at least run gpupdate /force and then log off (as the original settings were user settings). Once logged back in, check with gpresult that the correct policies are applying.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

griffisblessingAuthor Commented:
Yes, I unlinked the original policy, then linked up the new one.  I am fairly comfortable dealing with GP Management and creation, it's just always baffled as to whether or not a newly applied policy clears settings from a previous policy.  Maybe the correct question to ask is ... Is there a way to remove settings from a previous policy by applying a new policy?

Thanks.
0
bluntTonyHead of ICTCommented:
The majority of group policy settings should just revert back to default if the GPO is removed - some settings such as security settings do tattoo and have to be cancelled out by another local/group policy.
Before you go any further I would recommend actually forcing a policy refresh on the machine after removing the GPO, then reboot the machine so that all computer/user settings can be fully re-applied (not all policies will refresh properly while a user is logged in).
Then check that the old policy is no longer applying (use gpresult). If not, check to see if any old settings are still applying. If they are, check in an RSoP query that they are definitely not being applied from anywhere in group policy. If not, it looks like the settings will have tattooed. If this is the case, then they will need to be cancelled out by another policy by configuring conflicting settings. For example, for a setting which is boolean (simply enabled or disabled), rather than just applying a GPO where the settings are 'Not Defined' (this won't cancel the old setting), you would have to apply a GPO where the setting is 'Disabled' to cancel out the prevoius 'Enabled'.
I have to say though that the majority of these sorts of policies should not be tatooing so I would first reboot the machine to be sure...
Hope this helps...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
griffisblessingAuthor Commented:
Thanks for the help.  In the end I ended up editing the group policy directly in a text editor.  This allowed me to make the changes that I needed.  IE7's ADM template was not quite robust enough to get in to the settings that I needed to change.  Your help and suggestions gave me a good framework to go from.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.