Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Updating a Group Policy Object does not remove previous settings

Posted on 2009-04-13
6
Medium Priority
?
530 Views
Last Modified: 2012-05-06
I'm using MS's Group Policy Management console to manage our group policy infrastructure.  I've got a policy that manages IE7 settings.  I'd like to remove some settings from this policy and push out the changes.  When I make the changes and apply the new policy, the old settings are not removed from the effected computers.

Is there a way to remove settings that were applied by a previous policy?  If so, how?

Thanks.
0
Comment
Question by:griffisblessing
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 27

Expert Comment

by:bluntTony
ID: 24130264
How are you making the changes? You mention creating a new policy  - are you creating a seperate GPO with conflicting policies to the existing one, or are you simply editing the original GPO and removing the settings from here?
After making the changes, have you ran gpupdate /force on a client machine and then rebooted it?
Certain policies applied will remain after removing the GPO which set them - what settings are you trying to remove?
0
 

Author Comment

by:griffisblessing
ID: 24130290
In this particular case, I have 2 separate policies for IE.  One is applied to one group of machines, etc.  What I'm trying to do is take a group of machines that had one policy applied and instead apply the other policy.  Specifically, the old policy had User Configuration settings, and the new policy does not.

I have ran "gpupdate /force", but have not rebooted yet.  It seems as though it will append the different settings in the new policy, but it will not remove settings made by the initial policy.

Hope this helps to explain it further.  Thanks for the help and quick reply.
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24130432
OK - have you removed the old GPO (un-linked it from the OU), or do you now have both GPOs applying to the OU?
Because one is a set computer settings, and one is user settings, they are not actually conflicting. If you want the second GPO to over-rule the existing one, they both have to the same settings, and you need to ensure that the new GPO is higher in precedence than the existing one (so that it over-rules). Also note that 'Not-defined' in the new GPO will not clear a setting applied in another GPO - it won't have any effect at all, so you can't rely on this to cancel settings.
Incidentally, user settings will only apply to a user object, and computer settings to computers, i.e. if you configure user settings on a GPO and link it to an OU holding just computer accounts, then the settings will not take any effect (sorry if I'm stating the obvious!!)
Also, I would at least run gpupdate /force and then log off (as the original settings were user settings). Once logged back in, check with gpresult that the correct policies are applying.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 

Author Comment

by:griffisblessing
ID: 24130508
Yes, I unlinked the original policy, then linked up the new one.  I am fairly comfortable dealing with GP Management and creation, it's just always baffled as to whether or not a newly applied policy clears settings from a previous policy.  Maybe the correct question to ask is ... Is there a way to remove settings from a previous policy by applying a new policy?

Thanks.
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 2000 total points
ID: 24130661
The majority of group policy settings should just revert back to default if the GPO is removed - some settings such as security settings do tattoo and have to be cancelled out by another local/group policy.
Before you go any further I would recommend actually forcing a policy refresh on the machine after removing the GPO, then reboot the machine so that all computer/user settings can be fully re-applied (not all policies will refresh properly while a user is logged in).
Then check that the old policy is no longer applying (use gpresult). If not, check to see if any old settings are still applying. If they are, check in an RSoP query that they are definitely not being applied from anywhere in group policy. If not, it looks like the settings will have tattooed. If this is the case, then they will need to be cancelled out by another policy by configuring conflicting settings. For example, for a setting which is boolean (simply enabled or disabled), rather than just applying a GPO where the settings are 'Not Defined' (this won't cancel the old setting), you would have to apply a GPO where the setting is 'Disabled' to cancel out the prevoius 'Enabled'.
I have to say though that the majority of these sorts of policies should not be tatooing so I would first reboot the machine to be sure...
Hope this helps...
0
 

Author Closing Comment

by:griffisblessing
ID: 31569515
Thanks for the help.  In the end I ended up editing the group policy directly in a text editor.  This allowed me to make the changes that I needed.  IE7's ADM template was not quite robust enough to get in to the settings that I needed to change.  Your help and suggestions gave me a good framework to go from.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question