We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now


Cannot Remove Software Restriction Policy

Medium Priority
Last Modified: 2012-05-07
Someone added a blank software restriction policy to a Policy that was applied domain wide. Caused me problems. Anyway, I took the SRP off of that policy, and tried gpupdate, gpupdate /force, gpupdate /sync to no avail. I removed the link and the enforcement from that Policy to the OU (all OUs). Tried to gpupdate.. nothing. I removed a pc from the domain and logged in as a local admin, Resultant set of policy says i still have SRP. I rejoined domain hoping to overwrite because they should only be receiving the Default Domain Policy -- which does not have a SRP. Stil nothing. I really need to find an answer else I'm gonna be reformatting machines until I die. I tried the Microsoft FixIt BS and it doesnt work either.
Watch Question


I'm still screwed as of right now. I need to connect to the network to install programs. I use static IPs so when I input my DNS server I automatically pick up the SRP.


To add even more -- Ive deleted registry entries from HKCU and HKLM for software/policies/microsoft. and currentversion/policies. Ive deleted Windows/system32/GroupPolicy. Still nothing. I restarted the PDC and SDC, all the machines, have run gpupdate. Have removed ALL GP's. gpresult said N/A GPO's were applied. Default Domain policy is disabled, and the Local Group Policy is not applied. -- same thing for user settings. When i use the MMC to look at RSoP it still tells me I have SRP. Definitely in a bind.
What a mess! Anything coming up in the event viewer? use RSOP on the DC and see what you get. Are your OU's inheriting any policies? Just a few things to check.


there are no errors in the event log, just that the security policy was applied successfuly. i ran RSoP on the DC and it has the policy applied as well. My Boss (CIO but not tech oriented) logged in as her user which is set to receive the GPO. There are currently applied GPO's, all are disabled. The Default GPO was inherited by all but i even disabled that. Although the DGPO did NOT have any SRP
The GPO is set on user accounts? do these user accounts have admin rights? I believe in order for GPO's to be applied to user accounts that modify registry/permissions/security in any way, users need to have some sort of elevated privileges.

I might be completely wrong in that last statement. I think i remember reading that somewhere though. check it out and see if im right.


those user accounts have local administrative rights. not domain wide. but like i said, as soon as i point any pc to my DC even if its not on the domain i get a SRP. I dont get that at all.
BitsBytesandMoreNetwork Operations Manager
Top Expert 2009

What a mess...... have you tried turning off the PDC to see if the SDC also has the same problem?
How many users do you have?
If it works with the SDC you might want to consider running dcpromo...in installs or removes the Active Directory services and recreates everything from the SDC....


From what ive been reading.. all security options via GPO "tattoo" the pc. I did not leave the PDC off, just restarted and the SDC took over the domain control (but remember im using static addressing so the users still point their primary DNS to the PDC and secondary is the SDC). Did not help, so i restarted the SDC and the PDC took over again. Replication between servers seems fine. I created a test OU and applied a new GPO with no SRP and it did nothing. So i changed the SRP to not apply to local admins (which all my users are for our 3rd party management system {bad i know}). Did not help either. So you're suggesting leaving the PDC offline for a bit and then running gpupdate /force and see what happens? ive been trying to read about creating custom ADMs but im also running an office of 125+ pc's by myself this week. I just had a core switch fail as well (stressed!)


I have a cd with some software that needs to install a virtual LPT port (LPT1). SRP prevents me from running these 3 .msi files. I have another .msi that is my CiscoVPN client installer. I moved the VPN installer to the same location as the other .msi's. I can open my VPN msi but none of the others. All are in the same directory. I moved the restricted .msi's from disk to disk to remove security but still nothing.
Unlock this solution and get a sample of our free trial.
(No credit card required)
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.