Solved

Updating a Group Policy Object does not remove previous settings

Posted on 2009-04-13
6
520 Views
Last Modified: 2012-05-06
I'm using MS's Group Policy Management console to manage our group policy infrastructure.  I've got a policy that manages IE7 settings.  I'd like to remove some settings from this policy and push out the changes.  When I make the changes and apply the new policy, the old settings are not removed from the effected computers.

Is there a way to remove settings that were applied by a previous policy?  If so, how?

Thanks.
0
Comment
Question by:griffisblessing
  • 3
  • 3
6 Comments
 
LVL 27

Expert Comment

by:bluntTony
ID: 24130264
How are you making the changes? You mention creating a new policy  - are you creating a seperate GPO with conflicting policies to the existing one, or are you simply editing the original GPO and removing the settings from here?
After making the changes, have you ran gpupdate /force on a client machine and then rebooted it?
Certain policies applied will remain after removing the GPO which set them - what settings are you trying to remove?
0
 

Author Comment

by:griffisblessing
ID: 24130290
In this particular case, I have 2 separate policies for IE.  One is applied to one group of machines, etc.  What I'm trying to do is take a group of machines that had one policy applied and instead apply the other policy.  Specifically, the old policy had User Configuration settings, and the new policy does not.

I have ran "gpupdate /force", but have not rebooted yet.  It seems as though it will append the different settings in the new policy, but it will not remove settings made by the initial policy.

Hope this helps to explain it further.  Thanks for the help and quick reply.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24130432
OK - have you removed the old GPO (un-linked it from the OU), or do you now have both GPOs applying to the OU?
Because one is a set computer settings, and one is user settings, they are not actually conflicting. If you want the second GPO to over-rule the existing one, they both have to the same settings, and you need to ensure that the new GPO is higher in precedence than the existing one (so that it over-rules). Also note that 'Not-defined' in the new GPO will not clear a setting applied in another GPO - it won't have any effect at all, so you can't rely on this to cancel settings.
Incidentally, user settings will only apply to a user object, and computer settings to computers, i.e. if you configure user settings on a GPO and link it to an OU holding just computer accounts, then the settings will not take any effect (sorry if I'm stating the obvious!!)
Also, I would at least run gpupdate /force and then log off (as the original settings were user settings). Once logged back in, check with gpresult that the correct policies are applying.
0
 

Author Comment

by:griffisblessing
ID: 24130508
Yes, I unlinked the original policy, then linked up the new one.  I am fairly comfortable dealing with GP Management and creation, it's just always baffled as to whether or not a newly applied policy clears settings from a previous policy.  Maybe the correct question to ask is ... Is there a way to remove settings from a previous policy by applying a new policy?

Thanks.
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 500 total points
ID: 24130661
The majority of group policy settings should just revert back to default if the GPO is removed - some settings such as security settings do tattoo and have to be cancelled out by another local/group policy.
Before you go any further I would recommend actually forcing a policy refresh on the machine after removing the GPO, then reboot the machine so that all computer/user settings can be fully re-applied (not all policies will refresh properly while a user is logged in).
Then check that the old policy is no longer applying (use gpresult). If not, check to see if any old settings are still applying. If they are, check in an RSoP query that they are definitely not being applied from anywhere in group policy. If not, it looks like the settings will have tattooed. If this is the case, then they will need to be cancelled out by another policy by configuring conflicting settings. For example, for a setting which is boolean (simply enabled or disabled), rather than just applying a GPO where the settings are 'Not Defined' (this won't cancel the old setting), you would have to apply a GPO where the setting is 'Disabled' to cancel out the prevoius 'Enabled'.
I have to say though that the majority of these sorts of policies should not be tatooing so I would first reboot the machine to be sure...
Hope this helps...
0
 

Author Closing Comment

by:griffisblessing
ID: 31569515
Thanks for the help.  In the end I ended up editing the group policy directly in a text editor.  This allowed me to make the changes that I needed.  IE7's ADM template was not quite robust enough to get in to the settings that I needed to change.  Your help and suggestions gave me a good framework to go from.
0

Join & Write a Comment

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now