• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2031
  • Last Modified:

Group Policy is applying after GPO deletion

I have a group policy setting which is still affecting clients event after the GPO has been deleted (not just the link).  I have verified that the policy no longer exists in the "\\DOMAIN_NAME\SYSVOL\DOMAIN_NAME\Policies" folder.  I have restarted the clients several times and RSOP still shows the policy in effect.  The policy name is no longer present but the SID is still showing.
WSUS-GPO-Issue.JPG
0
CCBIL
Asked:
CCBIL
  • 7
  • 5
  • 4
1 Solution
 
Perry_IDITCCommented:
Hi,

It looks like the cached copies of the policy are still out there. You can create another tmp policy to delete the cached policies by going Computer Configuration \ Administrative Templates \ System \ User Profiles. and setting the Delete cached copies of roaming profiles as described here: http://support.microsoft.com/kb/274152

Cheers,
Perry
0
 
CCBILAuthor Commented:
The Group Policy setting applies to computer settings rather than user settings.   Also, the GPO setting deals with WSUS settings rather than roaming user profiles.  A new policy that modifies the same values exists and shows as being applied, however when using RSOP the old policy "wins".
0
 
Perry_IDITCCommented:
Have you run gpupdate /force and netdiag /v /l ? and/or restarted your server?
0
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

 
DonNetwork AdministratorCommented:
Try this on your Domain Controller.
Browse to:
 
C:\WINDOWS\SYSVOL\sysvol\<DomainName>\Policies
Locate the ghost GUID and delete.

0
 
DonNetwork AdministratorCommented:
oops, you already did that
0
 
DonNetwork AdministratorCommented:
0
 
CCBILAuthor Commented:
I used ADSI Edit and navigated to DOMAIN > CN=System >CN=Policies
However the GPO SID is not listed.  Any Idea if the registry keeps a cached list of Group Policies?  I know that it keeps a history of policies under [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History

I found the reference to the old GPO and removed it from the client but that did not solve the issue.

0
 
DonNetwork AdministratorCommented:
did you try doing a search for the guid throughout the registry?
0
 
DonNetwork AdministratorCommented:
0
 
CCBILAuthor Commented:
The only location in the registry showing the guid is

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History

I removed the entry under this key for one of the clients but it did not change anything.
0
 
CCBILAuthor Commented:
dstewartjr:

I do not think the SYSVOL article applies to my issue.
I have generated a list of orphan GPO objects, however the GPO does not exist in the directory.  

0
 
Perry_IDITCCommented:
Can you recreate the policy with all the settings you had, apply it then remove it?

Heres an intersting artical on Group Policy Tattooing. Hopefully it will help.
http://www.gpoguy.com/FAQs/FAQs/Whitepapers/tabid/63/articleType/ArticleView/articleId/5/Understanding-Policy-Tattooing.aspx

Also, what all was in the group policy you deleted?
0
 
CCBILAuthor Commented:
The GPO contained computer settings for Windows Update services.  I have a new GPO with different settings but as you can see from the RSOP screen shot the old nonexistent GPO still "wins".
0
 
CCBILAuthor Commented:
The location of the windows update settings falls within the "no tattooing" zone in the registry.  I have pushed several updates out, however the old GPO which does not exist still wins.
0
 
Perry_IDITCCommented:
Ok.. I think you are going to have to resore your group policy objects to their orginal state. Then recreate them.

I would run gpupdate /force on the server then restart it, as a last resort before you try whats next.

Back up a Group Policy object using GPMC
http://technet.microsoft.com/en-us/library/cc782589(WS.10).aspx

Default Group Policy objects become corrupted: disaster recovery
http://technet.microsoft.com/en-us/library/cc739095(WS.10).aspx
-or-
Fix Corrupt Group Policy Database File
http://www.techzonez.com/forums/showthread.php?t=17510
1. Open the %SystemRoot%\Security folder, create a new folder, and then name it "OldSecurity".
2.Move all of the files ending in .log from the %SystemRoot%\Security folder to the OldSecurity folder.
3.Find the Secedit.sdb file in the %SystemRoot%\Security\Database folder, and then rename this file to "Secedit.old".
4.Click Start, click Run, type mmc, and then click OK.
5.Click Console, click Add/Remove Snap-in, and then add the Security and Configuration snap-in.
6.Right-click Security and Configuration and Analysis, and then click Open Database.
7.Browse to the %SystemRoot%\Security\Database folder, type Secedit.sdb in the File name box, and then click Open.
8.When you are prompted to import a template, click Setup Security.inf, and then click Open.

Good luck!
0
 
CCBILAuthor Commented:
Winner!!!

Fix Corrupt Group Policy Database file resolved the issue.  I will add one step that I had to perform.

The system would not let me create the new database with the name Secedit.sdb.  I named the datebase test.sdb then selected the Setup Security.inf template.  I then applied the tempate the the computer.  After this I renamed test.sdb to secedit.sdb, ran gpupdate and the setting old corrupted setting was remove and the new correct setting applied.

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 7
  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now