Solved

recreate GPO's

Posted on 2013-01-18
2
299 Views
Last Modified: 2013-01-19
win2008 r2 domain and win7 clients.

would like to tidy and recreate some of my GPOs. if a previous policy was set as 'enabled' am I correct thinking if its configured  state is 'disabled' i need to  'disable' this policy rather than make it unconfigured as this would just leave it as 'enabled' on computers that have previously had that policy applied?

is there a simple way to revert all my computers back to default settings so they can apply the new policy from fresh? don't want to image them all.

hope that makes sense!
0
Comment
Question by:Pete
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 13

Expert Comment

by:imkottees
ID: 38795171
0
 
LVL 40

Accepted Solution

by:
footech earned 500 total points
ID: 38795603
It really depends on the settings configured by your GPOs.  Many group policy settings (true "policies") are removed whenever the GPO no longer applies, but then there are preferences which tattoo their settings, and the setting does not revert when the GPO is gone.  To undo these preferences, you have to set the GPO to reverse the setting it previously made.
Here's a couple links which explain the difference between GP policy, preferences, and GP Preferences.
http://blogs.technet.com/b/grouppolicy/archive/2008/03/04/gp-policy-vs-preference-vs-gp-preferences.aspx
http://www.gpoguy.com/faqs/whitepapers/tabid/63/articletype/articleview/articleid/5/understanding-policy-tattooing.aspx

So, to directly answer your questions:
 - no, you don't always have to reconfigure a GPO to reverse whatever setting it was making.  Often it's enough to just have the setting not applied anymore, which can be done by a few methods, including:  changing the setting to "not configured"; modifying the GPO (not the settings inside the GPO) so that all settings are disabled; disabling or deleting the link between an OU and the GPO; changing the security filtering of the GPO so it is no longer applied.
 - No.  Unless all settings were true policies, in which case simply not applying the GPOs would remove their effects.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question