Solved

Group Policy Clean up @ My Company

Posted on 2014-02-19
3
291 Views
Last Modified: 2014-12-29
Good morning everyone.

I have been tasked with cleaning up the disaster that is my company's group policy..... I'm in need of some clarification...

Easy Example:
Control Panel/Personalization/Prevent Changing Screen Saver     ENABLED

So If I understand group policy correctly, since this setting is "flipped on" (ive read this also referred to as "tattooed") even though I choose "not configured", it will stay "flipped on" until it is "flipped off" correct?  So for me to clean this setting, I have to flip it to Disabled, let it sit for a while and then set it to "not configured".  Is that correct?

Now, I am working in a Group Policy environment that has existed since this company went to active directory a thousand years ago.... It has been used and abused.  I am thinking that there are probably settings all over the place that have been "flipped on" and never "flipped off".  The only way I can think to get around this is to clear the GPO policy on the client machines and force a GPO update..... I've taken a look around and found I can do either of the following:

 Delete C:\WINDOWS\security\Database\secedit.sdb
GPupdate /force

or should i just delete

HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software\Nicrosoft\Windows\CurrentVersion\Policies

HKEY_LOCAL_MACHINE\SOFTWARE\Policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies

then a gupdate /force

Think I can add a script to their login .bat files that does this safely?


2nd Example:
Folder Redirection Downloads : Enabled

So even if I choose "not configured" now, it will still be "tattooed" on the computers that have ran this policy.  I should flip it to disabled, let it sit, then flip to "not configured" correct?


One more question, if settings are set to "not configured" will they show up on the GPMC when click the "Settings" tab?  (im thinking the answer is no...)

Thanks for your help!
0
Comment
Question by:vrmanrtell
3 Comments
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 39872323
I'm going to lurk more than anything, but the first question I would have is what is the functional level if the domain. The second would be what os is on the clients.
0
 
LVL 17

Assisted Solution

by:James Haywood
James Haywood earned 200 total points
ID: 39872716
Policies vs Preferences

Policies are usually defaulted to 'Not Configured' and can usually be enabled or disabled. To reverse the change the setting can be set back to not configured.

Preferences work in a similar manner to Policies but once 'enabled' are 'tattoed'. To reverse the change the setting will need to be 'disabled'. A good example of this is the map drive group policy preference on the user side. If you have configured a 'create a map drive' using the drive letter X then this will stay applied until you create a 'delete specific drive' setting to override the create.

If settings are set to not configured you are correct they will not show in GPMC.

Either of the settings above should clear the GPOs but you may well find they are linked to reg edits and/or batch files which would still be present.

Just to reiterate that a lot of older GPOs (since NT/2K) made heavy use of batch files and scripts to fill in the holes not covered natively by GP. These are the hardest to troubleshoot as its much easier writing scripts than reading them.

To enable a clean-up you would be best (if possible) to create new OUs, put in a couple of test clients and create new GPOs for these OUs. This would allow you to test settings in a more controlled environment. You would also have to prevent inheritance to stop the domain level GPOs from flowing down.

If you have any sort of development rig then the best idea would be to take a copy of your current AD environment and you can work knowing that you aren't going to disrupt peoples work.

Finally, GP is seriously powerful and be careful if you do have to work in a live environment.
0
 
LVL 35

Accepted Solution

by:
Nick Sui earned 200 total points
ID: 39873106
You have three questions and these are answered below:

1. Delete Secedit.sdb or not?
No need to delete this file unless you have configured user rights assignment and Security Options found in GPO under Computer Configuration.

If you need to delete this then follow below approach:
a. Copy Secedit.sdb from a computer which is not join to the domain or GPO policies have not been applied yet.
b. Use Security and configuration analyzer mmc > open Secedit.sdb > export the configuration and reapply exported configuration using secedit.exe.

2. Should I delete below registry entries or not?

HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software\Nicrosoft\Windows\CurrentVersion\Policies

HKEY_LOCAL_MACHINE\SOFTWARE\Policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies

Yes, this is where registry GPO settings are applied. This is only applicable for computer account. You must also delete the same set of keys from User Hive also.

3. So even if I choose "not configured" now, it will still be "tattooed" on the computers that have ran this policy.  I should flip it to disabled, let it sit, then flip to "not configured" correct?

Yes. This is the best way to do it so far!

Sys.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now