compdigit44
asked on
Windwos 2008 Group Policies Prevent Tattooing
I have a Windows 2008 domain and using ADM file for group polices. I know with group policiy preferences you have the ability to "Remove the item / setting once after if becomes unmanaged" Is there some way to apply such a setting to an entire GPO. I planned on implementing a new GPO shortly they has totally different IE settings, proxy, workstation settings etc and do now want remains of the old policy to be left behind on the workstations.
I konw GP write to the following registry keys:
HKEY_LOCAL_MACHINE\Softwar
HKEY_LOCAL_MACHINE\Softwar
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
But if a workstation or users falls out of the scope of the GP I'm trying to find a way for these registry vaules to be reset...
I konw GP write to the following registry keys:
HKEY_LOCAL_MACHINE\Softwar
HKEY_LOCAL_MACHINE\Softwar
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
But if a workstation or users falls out of the scope of the GP I'm trying to find a way for these registry vaules to be reset...
motnahp00
Use the Registry Preference to not tattoo your GPO settings. Specify Update when configuring your registry settings.
Hi.
Let me quote http://www.gpoguy.com/FAQs/Whitepapers/tabid/63/articleType/ArticleView/articleId/5/Understanding-Policy-Tattooing.aspx :
So if the policy falls out of scope, it's no longer applied (if you set it to) and the settings rae removed automatically, no need for action.
Let me quote http://www.gpoguy.com/FAQs/Whitepapers/tabid/63/articleType/ArticleView/articleId/5/Understanding-Policy-Tattooing.aspx :
Basically, how Group Policy prevents registry tattooing is fairly simple. Microsoft has allocated 4 registry keys--2 under HKEY_LOCAL_MACHINE and 2 under HKEY_CURRENT_USER which are considered "no-tattooing zones". Any registry values placed under one of these 4 keys will be removed when the policy no longer applies. These 4 keys are:
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_LOCAL_MACHINE\Software\Microsof t\Windows\ CurrentVer sion\Polic ies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software\Microsoft \Windows\C urrentVers ion\Polici es
So if the policy falls out of scope, it's no longer applied (if you set it to) and the settings rae removed automatically, no need for action.
ASKER
Thanks for the reply's everyone my problem is that my old Group Policy does not us any GPP's and also contains a number of custom ADM files which are no longer required. I know ADM file are just registry settings. I have already did a test a remove my old GP from a test ou and some of the old GP settings were still present in the workstations registry after a grupdate /force and several reboots. How can I make sure old GP settings are cleanly removed once a GP is no longer applied to a workstation.
Once the GPO is no longer processed the "UPDATE" registry setting is removed. If you processed the registry with "REPLACE" and removed the GPO from the OU, it will tattoo the registry settings regardless of what you do.
ASKER
Thanks but I'm confused...
For example, my old GPO has a number of Internet Explorer setting that were defined using Computer -> Admin Templates -> Windows Componets how would I know if these settings are applied using update or replace. This is the part which I'm confused over...
For example, my old GPO has a number of Internet Explorer setting that were defined using Computer -> Admin Templates -> Windows Componets how would I know if these settings are applied using update or replace. This is the part which I'm confused over...
Those are updated based on group policy processing. When the scope no longer applies, it will revert to using local policies configured.
@motnahp00: he is talking about ADMs, not group policy preferences.
@compdigit44: The settings that remain are really from the parts of the registry you qouted? Are you perfectly sure? Because my article says that those are reverted when the policy is removed/falls out of scope. Please do a gpupdate /force at the client just to make sure it did not miss the policy removal.
@compdigit44: The settings that remain are really from the parts of the registry you qouted? Are you perfectly sure? Because my article says that those are reverted when the policy is removed/falls out of scope. Please do a gpupdate /force at the client just to make sure it did not miss the policy removal.
ASKER
Here's my problem..
All of my old GP Interest Explorer Settings, like the proxy etc.. are still present in the following registry key after the policy is removed:
HKCU\Software\Microsoft\Wi
I really wish there was a check box or some easy way to set a GPO to automatically remove all settings once the object falls out of the management scope.
All of my old GP Interest Explorer Settings, like the proxy etc.. are still present in the following registry key after the policy is removed:
HKCU\Software\Microsoft\Wi
I really wish there was a check box or some easy way to set a GPO to automatically remove all settings once the object falls out of the management scope.
Do they go away for you when you right click on "Internet Explorer Maintenance" and select "Reset Browser Settings" ??
What policy uses that path HKCU\Software\Microsoft\Wi
ASKER
I have tried to reset the IE Maintenace yet good suggest. All of the setting that are present in the key that i listed are from the Internet Explorer Maintenance settings
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It's to bad there isn't a check box on a GPO to allow you to revert all setting once the object falls out of the GP's scope to prevent tattooing.